Skip to content

Instantly share code, notes, and snippets.

@Xib3rR4dAr

Xib3rR4dAr/duracelltomi-google-tag-manager_1.15.1_XSS.md Secret

Created May 27, 2022 08:36
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save Xib3rR4dAr/02a21cd0ea0b7bf586131c5eebb69f1d to your computer and use it in GitHub Desktop.
Save Xib3rR4dAr/02a21cd0ea0b7bf586131c5eebb69f1d to your computer and use it in GitHub Desktop.
Download ZIP
Google Tag Manager for WordPress <=1.15.1 XSS
Raw
duracelltomi-google-tag-manager_1.15.1_XSS.md

Exploit Author: Muhammad Zeeshan (Xib3rR4dAr)
Vulnerable Plugin: Google Tag Manager for WordPress
Vulnerable Version: <= 1.15.1
Vulnerability: Stored XSS
Vulnerable File: public/frontend.php#L:717

Vulnerable Code:

public/frontend.php#L:717

711:	if ( $gtm4wp_options[ GTM4WP_OPTION_SCROLLER_ENABLED ] ) {
712:		$_gtm_top_content .= '
713:
714:	var gtm4wp_scrollerscript_debugmode         = ' . ( $gtm4wp_options[ GTM4WP_OPTION_SCROLLER_DEBUGMODE ] ? 'true' : 'false' ) . ';
715:	var gtm4wp_scrollerscript_callbacktime      = ' . (int) $gtm4wp_options[ GTM4WP_OPTION_SCROLLER_CALLBACKTIME ] . ';
716:	var gtm4wp_scrollerscript_readerlocation    = ' . (int) $gtm4wp_options[ GTM4WP_OPTION_SCROLLER_DISTANCE ] . ';
717:	var gtm4wp_scrollerscript_contentelementid  = "' . $gtm4wp_options[ GTM4WP_OPTION_SCROLLER_CONTENTID ] . '";
718:	var gtm4wp_scrollerscript_scannertime       = ' . (int) $gtm4wp_options[ GTM4WP_OPTION_SCROLLER_READERTIME ] . ';';
719:	}

Proof of Concept:

Login as admin and visit: http://127.0.0.1/wp-admin/options-general.php?page=gtm4wp-settings
>> Scroll Tracking
>> Enable Scroll Tracker
>> Set XSS payload in Content ID
>> Save Changes

Stored XSS will trigger when any user visits any page e.g:
http://127.0.0.1 ie Home Page

image

image

Fix:

public/frontend.php#L:717

var gtm4wp_scrollerscript_contentelementid  = "' . esc_js($gtm4wp_options[ GTM4WP_OPTION_SCROLLER_CONTENTID ]) . '";

References:

https://blog.wpscan.com/why-admin-xss-is-a-valid-security-issue/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment