How I was able to find out my 1st CVE in the WordPress plugin๐๐๐
Hi friends๐,
In this blog, I will explain how to install and host WordPress in the local environment (127.0.0.1). Also how to find out the vulnerability and where to raise a request to get CVE.
So before getting started on todayโs topic, first we will understand what is CVE and WordPress.
What is CVE
The Common Vulnerabilities and Exposures (CVE) system identifies all vulnerabilities and threats related to the security of information systems. To do this, a unique identifier is assigned to each vulnerability.
What is WordPress
WordPress is a free and famous open source CMS(Content management system), which is used to create flexible websites thus used by approximately 75 million websites.
For more information about WordPress, you can refer to mentioned URL.
https://kinsta.com/knowledgebase/what-is-wordpress/ ๐
We will see how to download and install WordPress locally.
Step 1: Download WordPress from the below URL.
https://bitnami.com/stack/wordpress/installer๐
Step 2: Install the WordPress. During installation, a window will pop-up in front of you as mentioned below.
Just enter the proper details and boom!!!๐๐ You are done with the installation part.
Step 3: Open Mozilla Firefox browser and type localhost/127.0.0.1 and hit enter. Page as shown below will appear, you need to click on Access WordPress.
Step 4: To open the WordPress admin page just append wp-admin/admin after the URL.
http://localhost/wodpress/wp-admin ๐
Step 5: To login, use the username and password which we have configured in Figure 1.1, then you will land-up on the WordPress admin dashboard๐.
Now we will see how to install a plugin to find out vulnerabilities.
Step 1: After login into the WordPress admin dashboard, to install the plugin navigate to Plugin >>Add New and then type the plugin name into the search field.
Step 2: After installation, we need to activate the plugin so click on Activate Plugin.
Step 3: We are done with plugin installation and activation. Now we can start applying testing skills.
Step 4: As we all know, everyone starts with XSS ๐ค I also started with XSS. but this time with stored XSS (cross-site scripting).
We will see what is Cross-site scripting and its type
In OWASP TOP 10 (Open Web Application Project) Cross-site scripting ranks at position A7.
Cross-site scripting is web application vulnerability which attacker can use to execute/inject malicious ๐น๐น java query into the application.
How it occurs
- Input coming into web applications is not validated
- Output to the browser is not HTML encoded
Type of Cross-site scripting
Reflected cross-site scripting: Reflected XSS also known as non-persistent. The attack occurs when a malicious script is reflected in immediate response in an unsafe way.
Stored cross-site scripting: The application stores unsensitized user input that is viewed at a later time by another user or an administrator.
DOM cross-site scripting: DOM-based XSS vulnerabilities usually arise when JavaScript takes data from an attacker-controllable source, such as the URL, and passes it to a sink that supports dynamic code execution, such as eval() or innerHTML. This enables attackers to execute malicious JavaScript, which typically allows them to hijack other users' accounts.
How I was able to find out Stored XSS
Step 1: At first, I entered the random value with some special character (โ><) and checked the application response. And guess what happened, that special character got reflected in the response without sanitization๐คฉ๐คฉ๐คฉ.
Step 2: This struck me with the realization that the application was accepting special characters. I decided to use XSS universal payload which is used by everyone <script>alert(1)</script>.
The payload got reflected in the response and in the front end, I received the sight which beheld me.๐๐ป
Letโs discuss the reporting part
Step 1: To obtain the CVE-ID, the first step is to raise the request in https://cveform.mitre.org/ ๐
While raising the request if you get stuck anywhere feel free to have a look at this YouTube URL.
https://www.youtube.com/watch?v=i2i08JQqvC8 ๐
Step 2: Simultaneously you need to publish your exploit. For that purpose, you can use exploit DB.
https://www.exploit-db.com/ ๐
To publish your exploit, you are to send a mail to the exploit DB team. The team will review the exploit and will publish it.
Make use of ๐ template to send the exploit details.
Email id: submit@offsec.com
# Google Dork:
# Date:
# Exploit Author:
# Vendor Homepage:
# Software Link:
# Version:
# Tested on Windows
# Patched Version:
# Category: Web Application
# CVE:
# Exploit link:
Adding my exploit here: https://www.exploit-db.com/exploits/49406 ๐๐ป
Step 3: Once your exploit is published, copy that link and send that link to mitre. Automatically generated mail will reach you. Now cross your fingers ๐ค and be patient.
Note: Step 4 is applicable for WordPress vulnerability only.
Step 4: No need to perform steps 1,2,3 you can directly get CVE-ID for WordPress vulnerability. Follow the URL ๐
https://wpscan.com/submit ๐๐ป
Submit all the details in the form. Donโt forget to tick highlighted box so that they start inspecting the issue. They will update you accordingly.
Finally, the moment I have been waiting for arrived, and I was assigned CVE๐๐
Thanks for reading! Hope your moment arrives soon.