{"id":2285,"date":"2021-10-18T12:21:37","date_gmt":"2021-10-18T10:21:37","guid":{"rendered":"https:\/\/mikadmin.fr\/blog\/?p=2285"},"modified":"2021-10-18T14:11:03","modified_gmt":"2021-10-18T12:11:03","slug":"my-first-cve-wordpress-plugin","status":"publish","type":"post","link":"https:\/\/mikadmin.fr\/blog\/my-first-cve-wordpress-plugin\/","title":{"rendered":"My first CVE (2021-24856) – WordPress Plugin"},"content":{"rendered":"<\/span> 2<\/span> min read<\/span><\/span>

Views: 566<\/p>\n

<\/div>\n\n\n\n

Salut \u00e0 tous, petit article rapide d\u00e9taillant ma d\u00e9couverte et ma premi\u00e8re CVE<\/span><\/strong> qui est donc sur un plugin WordPress.<\/strong><\/span><\/p>\n\n\n\n

<\/div>\n\n\n\n

Il s’agit donc ici d’une tr\u00e8s simple XSS Stock\u00e9e<\/span><\/strong>.<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n
<\/div>\n\n\n\n

Un report sur WPScan<\/strong> tr\u00e8s complet est disponible ici : https:\/\/wpscan.com\/vulnerability\/8fd483fb-d399-4b4f-b4ef-bbfad1b5cf1b<\/a><\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n
\n\n\n\n

WordPress Plugin :<\/h1>\n\n\n\n
<\/div>\n\n\n\n

Version : 1.6.59<\/strong>
Author : https:\/\/www.tammersoft.com\/<\/a>
Link : https:\/\/wordpress.org\/plugins\/shared-files\/<\/a>
Download : https:\/\/downloads.wordpress.org\/plugin\/shared-files.1.6.59.zip<\/a><\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

Ce dernier permet de g\u00e9rer<\/strong> et lister facilement un partage de fichiers<\/strong> sur une page d\u00e9finie.<\/p>\n\n\n\n

\n\n\n\n
<\/div>\n\n\n\n

Exploitation :<\/h1>\n\n\n\n
<\/div>\n\n\n\n

Vuln\u00e9rabilit\u00e9 : Shared Files < 1.6.61 – Admin+ Stored Cross-Site Scripting<\/span><\/span><\/em><\/strong><\/p>\n\n\n\n

<\/div>\n\n\n\n

Il faut donc \u00eatre connect\u00e9 sur le panel admin<\/strong> de notre WordPress<\/span><\/strong> puis se rendre dans Settings<\/strong> et Shared Files<\/strong> :<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n
\n\n\n\n
<\/div>\n\n\n\n

Le champ Download counter text<\/span><\/strong> qui permet de nommer le compteur du nombre de t\u00e9l\u00e9chargements<\/strong> et de l’afficher<\/strong> sur le widget est vuln\u00e9rable \u00e0 une XSS Injection<\/a><\/span><\/strong> malgr\u00e9 le fait que la variable unfiltered_html<\/span> <\/strong>soit activ\u00e9e dans le fichier wp-config.php<\/span><\/strong> :<\/p>\n\n\n\n

<\/div>\n\n\n\n
\"wordpress\"<\/figure><\/div>\n\n\n\n
\n\n\n\n

On peut donc simplement utiliser ce payload<\/span><\/strong> par exemple :<\/p>\n\n\n\n

<\/div>\n\n\n\n
<svg\/onload=prompt(1)><\/code><\/pre>\n\n\n\n
\n\n\n\n
Afin de v\u00e9rifier ceci, il faut donc se rendre sur une page<\/strong> o\u00f9 il y a le widget Shared Files<\/strong><\/span> configur\u00e9 et d\u00e8s que le compteur de t\u00e9l\u00e9chargements<\/strong> va charger le payload<\/span><\/strong> va s’ex\u00e9cuter !<\/p>\n\n\n\n
<\/div>\n\n\n\n
\"wordpress\"<\/figure><\/div>\n\n\n\n
\n\n\n\n
Conclusion :<\/h1>\n\n\n\n
<\/div>\n\n\n\n
La CVE-2021-24856<\/span><\/strong> a donc \u00e9t\u00e9 assign\u00e9e et est donc disponible : https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2021-24856<\/a><\/p>\n\n\n\n
<\/p>\n\n\n\n
<\/div>\n\n\n\n
\u2b50Je tiens \u00e9galement \u00e0 remercier la team de WPScan<\/a> qui fait un excellent travail et qui est tr\u00e8s r\u00e9actif et professionnel.<\/em><\/p>\n\n\n\n
<\/div>\n","protected":false},"excerpt":{"rendered":"
<\/span>  2<\/span> min read<\/span><\/span>The plugin does not sanitise and escape the Download Counter Text settings, which could allow high privilege users to perform Cross-Site Scripting attacks. Continuer la lecture →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":2293,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_themeisle_gutenberg_block_has_review":false,"footnotes":""},"categories":[4],"tags":[64,76,45,10,60,75,74],"class_list":["post-2285","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-infosec","tag-cve","tag-findings","tag-pentest","tag-security","tag-web","tag-wordpress","tag-xss"],"aioseo_notices":[],"post_mailing_queue_ids":[],"_links":{"self":[{"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/posts\/2285","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/comments?post=2285"}],"version-history":[{"count":0,"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/posts\/2285\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/media\/2293"}],"wp:attachment":[{"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/media?parent=2285"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/categories?post=2285"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/tags?post=2285"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}