This repository shows u some information on this vulnerability, which were found by me.# CVE-2024-3867
This repository shows u some information on this vulnerability, which were found by me.
Here is the official description given:
The archive-tainacan-collection theme for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in version 2.7.2. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
So, basically, this vulnerability can be exploited with malicious links sending. The issues is that, when the page is loaded, if there was some additional parameter send to the server, the additional content would be write to the webpage.
The endpoint vulnerable is /collections/. So, if you send this payload on a GET request, you may get a xss alert pop-up:
/collections/?teste.com/%3E%3Cscript%3Ealert(%27XSS%20CAIS%27)%3C/script%3E
So, if the web application is running on https://souvulneravel.com, this link would be perfect for catching a fish:
https://souvulneravel.com/collections/?teste.com/%3E%3Cscript%3Ealert(%27XSS%20CAIS%27)%3C/script%3E
When testing, I realized that the application had some string replace happening. Spaces and others characters were replaced by '_'. So, for a complete exploitation, it is needed to use additional javascript functions to bypass this string replacement issue. I am with no time for further explanation now, but use something like atob, etc.
[4.0K] /data/pocs/326f8a02c5a7d122084afe1e3a09ba86618d3b09
├── [ 34K] LICENSE
└── [1.5K] README.md
0 directories, 2 files