All in One Support Button < 1.8.8 - Authenticated Stored Cross-Site Scripting

Description

The lack of CSRF and Capability checks on AJAX calls, such as arcontactus_save_menu_item, could allow low-privilege users to perform stored XSS attacks. The payloads will then be triggered in frontend pages.

The Vendor attempted a fix with v1.8.1, by adding capability and some sanitisation checks. However, stored XSS was still possible via CSRF attacks. The XSS payload will then be triggered in the plugin's settings.

Edit (WPScanTeam):
April 30th, 2020 - Confirmed & Envato Contacted
May 1st, 2020 - Envato Investigating, plugin closed
May 12th, 2020 - Plugin re-opened, v1.8.1 released.
May 14th, 2020 - v1.8.1 added capability and some sanitisation. CSRF checks missing, another PoC sent to Envato.
May 25th, 2020 - Asked for updates to Envato
May 26th, 2020 - Envato replied that 1.8.1 fixes the issues
May 28th, 2020 - Sent them the PoC again, which is working in 1.8.1
May 29th, 2020 - There appear to be inconsistencies between the latest version from the vendor (1.8.4) and the latest on Envato market (1.8.1).
June 13rd, 2020 - v1.8.6 released on Envato, still no CSRF checks and Stored XSS attack still possible. Envato notified again and vendor given two more weeks to issue a fix.
June 15th, 2020 - v1.8.7 released, no changes related to the issues reported.
June 16th, 2020 - v1.8.8 released, fixing the issues.