Skip to content

This repository shows u some information on this vulnerability, which were found by me.

License

Notifications You must be signed in to change notification settings

c4cnm/CVE-2024-3867

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
 
 
 
 

Repository files navigation

CVE-2024-3867

This repository shows u some information on this vulnerability, which were found by me.

Here is the official description given: The archive-tainacan-collection theme for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in version 2.7.2. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

So, basically, this vulnerability can be exploited with malicious links sending. The issues is that, when the page is loaded, if there was some additional parameter send to the server, the additional content would be write to the webpage.

The endpoint vulnerable is /collections/. So, if you send this payload on a GET request, you may get a xss alert pop-up: /collections/?teste.com/%3E%3Cscript%3Ealert(%27XSS%20CAIS%27)%3C/script%3E

So, if the web application is running on https://souvulneravel.com, this link would be perfect for catching a fish: https://souvulneravel.com/collections/?teste.com/%3E%3Cscript%3Ealert(%27XSS%20CAIS%27)%3C/script%3E

When testing, I realized that the application had some string replace happening. Spaces and others characters were replaced by '_'. So, for a complete exploitation, it is needed to use additional javascript functions to bypass this string replacement issue. I am with no time for further explanation now, but use something like atob, etc.

About

This repository shows u some information on this vulnerability, which were found by me.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published