WordPress Finder - Cross-Site Scripting

What is the "WordPress Finder - Cross-Site Scripting?"

The "WordPress Finder - Cross-Site Scripting" module is designed to detect a cross-site scripting vulnerability in the WordPress Plugin Finder. This vulnerability allows an attacker to execute arbitrary scripts in the browser of an unsuspecting user. The severity of this vulnerability is classified as high, with a CVSS score of 7.2.

The original author of this module is daffainfo.

Impact

If exploited, this cross-site scripting vulnerability can lead to various malicious activities, such as stealing sensitive user information, performing unauthorized actions on behalf of the user, or injecting malicious content into the affected website.

How the module works?

The "WordPress Finder - Cross-Site Scripting" module works by sending a specific HTTP request to the target WordPress website. The request is made to the "/wp-content/plugins/finder/index.php" endpoint with the "order" parameter containing a crafted payload.

For example:

/wp-content/plugins/finder/index.php?by=type&dir=tv&order=%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E

The module then checks the response of the HTTP request against several matching conditions:

- The response body must contain the string "</script><script>alert(document.domain)</script>" - The response headers must include the string "text/html" - The HTTP status code must be 200

If all the matching conditions are met, the module reports the vulnerability.