[ home ]  [ private ]  [ 0Day ]  [ discount ]  [ Get Gold ]  [ platforms ]  [ pentest ]  [ search ]  [ faq ]  [ contact ]  [ style ]  [ Prices in Gold ]   db: 39 583    
0day Today Exploit DB Official Facebook
0day Today Exploit DB Official Twitter
0day Today Exploit DB Official RSS Channel
Tor
We DO NOT use Telegram or any messengers / social networks!
We DO NOT use Telegram or any messengers / social networks!

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

 
0day.today - Biggest Exploit Database in the World.
Select your language:  
English
English
Русский
Русский
Deutsch
Deutsch
Türkçe
Türkçe
Français
Français
Italiano
Italiano
Español
Español
Romania
Romania
Polskie
Polskie
العربية
العربية
Japan
Japan
China
China
Things you should know about 0day.today:
  • We use one main domain: http://0day.today
  • Most of the materials is completely FREE
  • If you want to purchase the exploit / get V.I.P. access or pay for any other service,
    you need to buy or earn GOLD
We accept currencies: [contact admin to find more]
           
We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks! We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
I am registered user of 0day.today. I don't want to see this screen in future.
What to do first?
  1. Read the [ agreement ]
  2. Read the [ Submit ] rules
  3. Visit the [ faq ] page
  4. [ Register ] profile
  5. Get [ GOLD ]
  6. If you want to [ sell ]
  7. If you want to [ buy ]
  8. If you lost [ Account ]
  9. Any questions [ admin@0day.today ]


Main links


You can contact us by

Mail:
mr.inj3ct0r@gmail.com
Facebook:
Inj3ct0rs
Twitter:
Inj3ct0r
Telegram:
We DO NOT use Telegram or any messengers / social networks!
[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
Mail:
mr.inj3ct0r@gmail.com
Facebook:
Inj3ct0rs
Twitter:
Inj3ct0r
Telegram:
We DO NOT use Telegram or any messengers / social networks!
0day Today Exploits Market and 0day Exploits Database

WordPress All In One SEO Pack 4.2.9 Cross Site Scripting Vulnerability

Author
fearzzzz
Risk
[
Security Risk Low
]
0day-ID
0day-ID-38240
Category
web applications
Date add
28-02-2023
CVE
CVE-2023-0585
CVE-2023-0586
Platform
php
Affected Plugin: All In One SEO Pack

Plugin Slug: all-in-one-seo-pack

Affected Versions: <= 4.2.9

CVE ID: CVE-2023-0586

CVSS Score: 6.4 (Medium)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Researcher/s: Ivan Kuzymchak 

Fully Patched Version: 4.3.0

The All in One SEO Pack plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters in versions up to, and including, 4.2.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Description: Authenticated (Administrator+) Stored Cross-Site Scripting 

Affected Plugin: All In One SEO Pack

Plugin Slug: all-in-one-seo-pack

Affected Versions: <= 4.2.9

CVE ID: CVE-2023-0585

CVSS Score: 4.4 (Medium)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N

Researcher/s: Ivan Kuzymchak 

Fully Patched Version: 4.3.0

The All in One SEO Pack plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters in versions up to, and including, 4.2.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with Administrator-level access or above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Vulnerability Analysis

The All In One SEO Pack plugin provides site owners with an intuitive interface to assist in optimizing site content for search engines, both during setup as well as on an ongoing per-post and per-page basis. Unfortunately, vulnerable versions of this plugin fail to escape submitted site titles, meta descriptions and other elements during post and page creation, and when changing plugin settings. This made it possible for users with access to the post editor, such as contributors, to insert malicious JavaScript into those fields, which would execute in the browser of any authenticated user, such as a site’s administrator, editing such a post or page.

This is a likely scenario to occur as posts written by contributors have to be reviewed and moderated prior to publication.

xss1 

This vulnerability is a little more unique than the ones we have covered in the past as the vulnerable code is executed as a result of modifying the Domain Object Model (DOM) in the victim’s browser after the page loads. More specifically, in the screenshot above the plugin uses the input in the Post Title field and creates a Snippet Preview on the fly. The malicious code is stored, but does not get executed until this DOM modification takes place. This type of Cross-Site Scripting vulnerability is often referred to as DOM-XSS.

Similarly, an Administrator could modify the Search Appearance or General Social Media settings to include the same malicious payload, which resulted in malicious JavaScript code execution, when editing pages or posts as well as when viewing the all post/page listing.

xss-admin 

It is important to keep in mind that malicious code may be executed within the context of an administrator’s browser sessions and could be used to generate new malicious user accounts and be utilized for code manipulation among other things. As such, these types of vulnerabilities should be taken seriously even if Contributor-level privileges are required for successful exploitation.

Timeline

January 25, 2023 – Wordfence releases a firewall rule to address the Contributor+ Stored Cross-Site Scripting vulnerability.

January 26, 2023 – The Wordfence team responsibly discloses the vulnerabilities to the plugin vendor.

January 27, 2023 – The vendor confirms receipt and begins work on a fix.

February 6, 2023 – Release 4.3.0 addresses both vulnerabilities.

February 24, 2023 – The firewall rule to address the Contributor+ Stored Cross-Site Scripting vulnerability is released to our Wordfence Free users.

Conclusion

In today’s post, we covered two Cross-Site Scripting vulnerabilities in All In One SEO Pack, a search engine optimization plugin with over 3 Million users. The Wordfence Threat Intelligence team issued a firewall rule providing protection against the Contributor+ Stored Cross-Site Scripting vulnerability on January 25, 2023. This rule has been protecting our Wordfence Premium, Wordfence Care and Wordfence Response users since that date, while those still using our free version received this rule on February 24, 2023.

If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both of these products include hands-on support in case you need further assistance. If you have any friends or colleagues who are using this plugin, please share this announcement with them and encourage them to update to the latest patched version of All In One SEO Pack as soon as possible.

If you are a security researcher, you can responsibly disclose your finds to us and obtain a CVE ID and get your name on the Wordfence Intelligence Community Edition leaderboard.

#  0day.today [2024-11-17]  #
0day Today Exploit Database buy and sell exploits type (local, remote, DoS, PoC, etc.)
Send all submissions to mr.inj3ct0r[at]gmail.com
Copyright © 2008-2024 0day Today Team