Batch-Move Posts <= 1.5 - Broken Authentication leading to Unauthenticated Stored XSS



Description
An attacker can add a Cross-Site Scripting (XSS) payload remotely without any authentication. The Payload gets triggered when an Admin visits the settings page of the plugin.

Edit (WPScanTeam): The plugin is still affected and has been closed.
Proof of Concept
Vulnerable code is from lines 68 to 84. The code gets the value of option `bm_row_amount` from database and matches it with the GET request `row_amount`. If they do not match then it updates the option `bm_row_amount` with the provided GET value. If you follow the file batch.php from top, you may see that the mentioned code is not dependent of any pre condition i.e. checking if user is admin or csrf tokens etc. This means that anyone from outside can call following URL as an unauthenticated user and the option `bm_row_amount` will get updated.

https://example.com/?row_amount="><script>alert(2)</script>

The GET variable `row_amount` can also be sent as POST to bypass firewall and it will still work.

The Payload will trigger on main settings page of the plugin (Posts > Move Categories).

https://example.com/wp-admin/edit.php?page=batchadmin

Affects Plugin

no known fix

Classification

Type XSS
OWASP Top 10 A7: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Original Researcher Noman Riffat
Submitter Noman Riffat
Submitter Twitter @nomanriffat
Views 3508
Verified Yes
WPVDB ID 10032

Timeline

Publicly Published 2020-01-19 (about 1 month ago)
Added 2020-01-19 (about 1 month ago)
Last Updated 2020-02-13 (14 days ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin