White Label CMS <= 1.5.2 - Stored XSS

Description

Due to a lack of CSRF protection, and lack of sanitation of user input, it is possible to trigger a Persistent XSS attack via a CSRF attack. This attack targets in particular the Import functionality, which is located in the 'wlcmsImport' function, within the file '/white-label-cms/wlcms-plugin.php'. The path to execution is in the addition of the hook to the 'admin_menu' action, to the 'wlcms_add_admin' function. The 'wlcms_add_admin' function allows triggering of the 'wlcmsImport' function simply by providing an action parameter, with the value of ‘import’.

Due to the lack of CSRF, it is possible – if an administrative user can be tempted to visit a malicious site – to inject HTML which will be displayed to all users, depending on the template in use, in the form of a custom IMG element. Providing an invalid URL to this element, and utilizing the 'onerror' event, custom JS can be triggered, which can result in Privilege Escalation. The default WordPress template will trigger the XSS on all pages of the site, as will the default WordPress Administrative theme. This is made possible thanks to the ability to import wlcms options via the import functionality, overwriting current options.