CVE-2019-12934 – wp-code-highlightjs WordPress Plugin CSRF leads to blog-wide injected script/HTML

An issue was discovered in the wp-code-highlightjs plugin through 0.6.2 for WordPress.

wp-admin/options-general.php?page=wp-code-highlight-js allows CSRF,  as demonstrated by an XSS payload in the hljs_additional_css parameter.

An attacker could leverage this CSRF to include a script-tag that will execute upon CSRF, coupled with a wordpress user-create payload could potentially lead to RCE.

Proof of Concept:

where poc.js could be a payload similar to:

https://github.com/hakluke/weaponised-XSS-payloads/blob/master/wordpress_create_admin_user.js

 

CVE-2019-12346 – miniOrange SAML SP Single Sign On WordPress Plugin XSS

miniOrange SAML SP Single Sign On WordPress Plugin version 4.8.72 and below are vulnerable to a Cross Site Scripting attack via a specially crafted SAMLReponse XML payload.

This exploit works by passing a crafted SAMLReponse and RelayState variable to https://victim.com/wp-login.php

It will then parse out the SAMLResponse message and in the event that the SAML is anything other than a “Success” the script will dump the contents of the expected parameter, so you can inject any HTML into this variable.

For example a SAMLResponse payload will look like this:

This payload will need to be Base64 encoded and sent as a “SAMLReponse” parameter along with RelayState=testValidate.

Proof of concept:

 

CVE-2019-11511 – Zoho ManageEngine ADSelfService Plus XSS

RestAPI/PasswordSelfServiceAPI in Zoho ManageEngine ADSelfService Plus version 5707 and below allows remote attackers to inject arbitrary web
script or HTML via the PSS_OPERATION parameter.

Example Proof of Concept:

Store XSS Payload:
https://example.com/RestAPI/PasswordSelfServiceAPI?operation=verifyUser&PRODUCT_NAME=ADSSP&PSS_OPERATION=%22%7D%3B%3Chtml%3E%3CIMG%20SRC=/%20onerror=alert(document.cookie)%3E%3C/img%3E

Payload Execution:
https://example.com/RestAPI/PasswordSelfServiceAPI?operation=passwordSelfService&PRODUCT_NAME=ADSSP

Google Dork:
inurl:”showlogin.cc”