Pardakht Delkhah < 2.9.3 – Unauthenticated Stored XSS | CVE 2022-4307

Description

The plugin does not sanitise and escape some parameters, allowing unauthenticated attackers to send a request with XSS payloads, which will be triggered when a high privilege users such as admin visits a page from the plugin.

Proof of Concept

1. Install and activate WoocCommerce (dependency, no configuration required)

2. Install the vulnerable plugin (pardakht-delkhah 2.9.2)

3. Under plugin's menu, "Custom payment" > "Gateway Settings", hit the save button to set the default gateway.

4. Invoke the following curl request to store two XSS payloads (both of which will trigger an alert box:

curl http://localhost:10008/wp-admin/admin-ajax.php \
    --data 'action=cupri_action&cupri_fmobile=981111111111&cupri_fprice="><script>alert(`xss1`)</script>&cupri_f0="><script>alert(`xss2`)</script>'

5. The XSS will be triggered when an admin navigates to the plugin's menu (/wp-admin/edit.php?post_type=cupri_pay)