MonsterInsights < 8.9.1 – Stored Cross-Site Scripting via Google Analytics | CVE 2022-3904

Description

The plugin does not sanitize or escape page titles in the top posts/pages section, allowing an unauthenticated attacker to inject arbitrary web scripts into the titles by spoofing requests to google analytics.

Proof of Concept

1. Open a WP page with the plugin and Google analytics installed and search for something that does not exist, let's say ?s=asdf
2. You will see a request being sent to this URL: https://region1.google-analytics.com/g/collect?v=2&tid=G-6S3DZKLR47&gtm=2oe9l0&_p=381293519&gdid=dZGIzZG&cid=1787612615.1664091952&ul=pl-pl&sr=1440x900&_z=ccd.v9B&_s=1&sid=1664091952&sct=1&seg=0&dl=https%3A%2F%2Fwww.bugbountyexplained.com%2F%3Fs%3Dasdf&dt=asdf%20-%20Bug%20Bounty%20Reports%20Explained&en=page_view&_fv=1&_nsi=1&_ss=1&_ee=1&ep.forceSSL=true&ep.link_attribution=true&ep.page_path=%2F%3Fs%3Dno-results%3Aasdf%26cat%3Dno-results
The dt parameter is the page's title which in this case is, after URL-decoding, asdf - Bug Bounty Reports Explained.
3. Send this request to Burp intruder or your tool of choice
4. Replace the dt parameter with URL-encoded payload. <img src=x onerror=alert(document.domain)> will do if you just want the popup, otherwise, you have to use XSS hunter.
5. Send this request to GA enough times so that it makes the top 10 of you pages ie. if the 10th page on your website has 100 views, send 101 requests, if the 10th page has 1000, send 1001... Also, increment the _s parameter with each request.
6. Wait 24h - the results in the plugin only show after a day
7. Go to /wp-admin/admin.php?page=monsterinsights_reports#/ on your website and under the Top Posts/Pages section will be your website with your payload firing.