Hummingbird < 3.3.2 - Admin+ Stored Cross-Site Scripting

The plugin does not sanitise and escape the Config Name, which could allow high privilege users, such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

PoC

Go to Hummingbird’s Settings > Configs > edit the “Name and Description” and put the following payload in the Name field: Save and Click ‘Apply’ to trigger the XSS Go to Hummingbird’s Settings > Configs and Upload the following config { “id”: 1, “name”: “”, “description”: “Xss”, “config”: { “configs”: { “settings”: { “advanced”: { “query_string”: false, “emoji”: false, “cart_fragments”: false, “lazy_load”: { “enabled”: false } }, “database”: { “reports”: { “enabled”: false } }, “gravatar”: { “enabled”: true }, “page_cache”: { “enabled”: true, “detection”: “auto”, “integrations”: { “varnish”: false, “opcache”: false }, “preload”: false }, “performance”: [], “rss”: { “enabled”: true, “duration”: 3600 }, “settings”: { “accessible_colors”: false, “remove_settings”: false, “remove_data”: false, “control”: true }, “uptime”: { “enabled”: false } } }, “strings”: { “advanced”: [ “Remove query strings from assets - Inactive\nRemove Emoji JS & CSS files - Inactive\nDisable WooCommerce cart fragments - Inactive\nComments lazy loading - Inactive\n” ], “database”: [ “” ], “gravatar”: [ “Gravatar cache - Active\n” ], “page_cache”: [ “Page cache - Active\nFile change detection - Auto\nPurge Varnish cache - Inactive\nPurge OpCache - Inactive\nCache preloading - Inactive\n” ], “rss”: [ “RSS caching - Active\n” ], “settings”: [ “High contrast mode - Inactive\nRemove settings on uninstall - Inactive\nRemove data on uninstall - Inactive\nCache control in admin bar - Active\n” ], “uptime”: [ “Uptime - Inactive\n” ] } }, “plugin”: “1081721” }