Batch-Move Posts <= 1.5 – Broken Authentication leading to Unauthenticated Stored XSS

Description

An attacker can add a Cross-Site Scripting (XSS) payload remotely without any authentication. The Payload gets triggered when an Admin visits the settings page of the plugin.

Edit (WPScanTeam): The plugin is still affected and has been closed.

Proof of Concept

Vulnerable code is from lines 68 to 84. The code gets the value of option `bm_row_amount` from database and matches it with the GET request `row_amount`. If they do not match then it updates the option `bm_row_amount` with the provided GET value. If you follow the file batch.php from top, you may see that the mentioned code is not dependent of any pre condition i.e. checking if user is admin or csrf tokens etc. This means that anyone from outside can call following URL as an unauthenticated user and the option `bm_row_amount` will get updated.

https://example.com/?row_amount="><script>alert(2)</script>

The GET variable `row_amount` can also be sent as POST to bypass firewall and it will still work.

The Payload will trigger on main settings page of the plugin (Posts > Move Categories).

https://example.com/wp-admin/edit.php?page=batchadmin