Advertisement






WordPress WP-UserOnline 2.88.0 Cross Site Scripting

CVE Category Price Severity
CVE-2022-2941 CWE-79 $500 High
Author Risk Exploitation Type Date
An independent security researcher High Remote 2022-09-25
CVSS
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2022090071

Below is a copy:

WordPress WP-UserOnline 2.88.0 Cross Site Scripting
# Exploit Title: Wordpress Plugin WP-UserOnline 2.88.0 - Stored Cross Site Scripting (XSS)
# Google Dork: inurl:/wp-content/plugins/wp-useronline/
# Date: 2022-08-24
# Exploit Author: UnD3sc0n0c1d0
# Vendor Homepage: https://github.com/lesterchan/wp-useronline
# Software Link: https://downloads.wordpress.org/plugin/wp-useronline.2.88.0.zip
# Category: Web Application
# Version: 2.88.0
# Tested on: Debian / WordPress 6.0.1
# CVE : CVE-2022-2941
# Reference: https://github.com/lesterchan/wp-useronline/commit/59c76b20e4e27489f93dee4ef1254d6204e08b3c

# 1. Technical Description:
The WP-UserOnline plugin for WordPress has multiple Stored Cross-Site Scripting vulnerabilities in versions 
up to, and including 2.88.0. This is due to the fact that all fields in the Naming Conventions section do 
not properly sanitize user input, nor escape it on output. This makes it possible for authenticated attackers, 
with administrative privileges, to inject JavaScript code into the setting that will execute whenever a user 
accesses the injected page.
  
# 2. Proof of Concept (PoC):
  a. Install and activate version 2.88.0 of the plugin.
  b. Go to the plugin options panel (http://[TARGET]/wp-admin/options-general.php?page=useronline-settings).
  c. Identify the "Naming Conventions" section and type your payload in any of the existing fields. You can use 
  the following payload:
<script>alert(/XSS/)</script>
  d. Save the changes and now go to the Dashboard/WP-UserOnline option. As soon as you click here, your payload 
   will be executed.

Note: This change will be permanent until you modify the edited fields.

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.