WordPress Plugin Domain Check 1.0.16 - Reflected Cross-Site Scripting (XSS) (Authenticated)

vendor:

Domain Check

by:

Ceylan Bozogullarindan

6.1

CVSS

MEDIUM

Reflected Cross-Site Scripting (XSS)

CWE

Product Name: Domain Check

Affected Version From: 1.0.0

Affected Version To: 1.0.15

Patch Exists: YES

Related CWE: CVE-2021-24926

CPE: 2.3:a:wordpress:domain_check:1.0.16

Metasploit:

Other Scripts:

Tags: wpscan,cve,cve2021,xss,wp,wordpress,wp-plugin,authenticated

CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Nuclei References: https://wpscan.com/vulnerability/8cc7cbbd-f74f-4f30-9483-573641fea733, https://nvd.nist.gov/vuln/detail/CVE-2021-24926

Nuclei Metadata: {'max-request': 2, 'framework': 'wordpress', 'vendor': 'domaincheckplugin', 'product': 'domain_check'}

Platforms Tested: Linux

2021

WordPress Plugin Domain Check 1.0.16 – Reflected Cross-Site Scripting (XSS) (Authenticated)

An authenticated user is able to inject arbitrary Javascript or HTML code to the "Domain Check Profile" interface available in settings page of the plugin, due to incorrect sanitization of user-supplied data and achieve a Reflected Cross-Site Scripting attack against the administrators. The plugin versions prior to 1.0.16 are affected by this vulnerability.

Mitigation:

Upgrade to the latest version of the plugin (1.0.16) to mitigate this vulnerability.

Source

Exploit-DB raw data:

# Exploit Title: WordPress Plugin Domain Check 1.0.16 - Reflected Cross-Site Scripting (XSS) (Authenticated)
# Date: 30-10-2021
# Exploit Author: Ceylan Bozogullarindan
# Author Webpage: https://bozogullarindan.com
# Vendor Homepage: https://domaincheckplugin.com/
# Software Link: https://wordpress.org/plugins/domain-check/
# Version: 1.0.16
# Tested on: Linux
# CVE: CVE-2021-24926 (https://wpscan.com/vulnerability/8cc7cbbd-f74f-4f30-9483-573641fea733)


# Description:

Domain Check is a Wordpress plugin that allows you to see what domains and SSL certificates are coming up for expiration and to quickly locate the coupons, coupon codes, and deals from your favorite sites before renewing.

An authenticated user is able to inject arbitrary Javascript or HTML code to the "Domain Check Profile" interface available in settings page of the plugin, due to incorrect sanitization of user-supplied data and achieve a Reflected Cross-Site Scripting attack against the administrators. The plugin versions prior to 1.0.16 are affected by this vulnerability.


The details of the discovery are given below.


# Steps To Reproduce:
1. Just visit the following page after signing in the administrator panel: http://vulnerable-wordpress-website/wp-admin/admin.php?page=domain-check-profile&domain=hacked.foo<script>alert(1)</script>
2. The XSS will be triggered on the settings page.