WP Lead Plus X < 0.99 - Unauthenticated Stored Cross-Site Scripting (XSS)

One of the features available to users who have paid for a license key for WP Lead Plus X is the ability to create and use “template” pages, which can be imported as a starting point when creating new pages. Although this feature is not visible if the plugin does not have a license key, it was still possible for an unauthenticated user to import a template containing malicious JavaScript. This was due to an admin_post action available to unprivileged visitors, c37_wpl_import_template

PoC

‘c37_wpl_import_template’, ‘files_name[]’ => $cFile, ]); $output = curl_exec($ch); echo $output; curl_close($ch);