When saving JS/CSS in this plugin then both private and public ajax-hooks are being used. Because of this anyone can post JS/CSS that are saved to the db and printed to the head and footer portion of the page.
In the file βindex.phpβ (in root folder) on line 188 and 189 you can see that both private and public ajax-hooks are called and is referencing to the function βse_saveβ. This function does not do any authentication check or string sanitizing. Therefore you can inject whatever you want where the βwp_footerβ and βwp_headβ is called. With the use of for example cUrl or the chromeapp Postman this can be exploited with ease. Example: URL: http://www.site.com/wp-admin/admin-ajax.php (Postdata displayed in JSON) # JS injection { type: βjsβ, data: βalert(βHello world!β);β, action: βse_saveβ } # CSS injection { type: βcssβ, data: βbody { display: none !important; }β, action: βse_saveβ }
CPE | Name | Operator | Version |
---|---|---|---|
safe-editor | lt | 1.2 |