safe-editor <= 1.1 - Unauthenticated CSS/JS-injection

When saving JS/CSS in this plugin then both private and public ajax-hooks are being used. Because of this anyone can post JS/CSS that are saved to the db and printed to the head and footer portion of the page.

PoC

In the file “index.php” (in root folder) on line 188 and 189 you can see that both private and public ajax-hooks are called and is referencing to the function “se_save”. This function does not do any authentication check or string sanitizing. Therefore you can inject whatever you want where the “wp_footer” and “wp_head” is called. With the use of for example cUrl or the chromeapp Postman this can be exploited with ease. Example: URL: http://www.site.com/wp-admin/admin-ajax.php (Postdata displayed in JSON) # JS injection { type: ‘js’, data: ‘alert(“Hello world!”);’, action: ‘se_save’ } # CSS injection { type: ‘css’, data: ‘body { display: none !important; }’, action: ‘se_save’ }