Found a valid but it was unpatched CVE already reported by someone else.

I wrote this blog 3 months ago, but didn't published as it was a duplicate. But now I changed my mind to publish the pending draft to atleast value the time I gave it here.

No worries, if it cannot be CVE story, it's a CVE reversing + Custom POC story 😅

After tons of NAs (valid but admin+ 🤢🤮) , I was able to find a potential sink for Reflected XSS, carefully, I analyzed the context where this is echoed to the client. Created a payload , executed ? yes … but eeh.. you are too late, others are 10x fast.

This particular block of code is part of function customer_js_to_head which is registered as a callback function for hook named admin_head . So it fires automatically when any admin based page (/wp-admin/…..) loads.

I proceeded reporting to Wordfence, but then I got a slap in my face saying there exists a unpatched CVE and vulnerability type is XSS, so there is no point reporting the same bug again if unpatched and will be considered duplicate mostly ;(

I tried creating payload to create a backdoor wordpress account and send the URL it to admin (myself) , but at the time I wrote this article, I was still stuck as I never reported any ATO via XSS triaged report.

However it was my first valid XSS that I found, although it was duplicate.

Previously whatever XSS I found were NA , because it was a feature ;(

Atleast I am happy, I did find a valid vulnerability all by myself without any help and prior experience of this ecosystem. It's just the beginning folks 🤘

Duplicate is part of the process, embrace the experience you got!