Batch-Move Posts <= 1.5 - Broken Authentication leading to Unauthenticated Stored XSS

An attacker can add a Cross-Site Scripting (XSS) payload remotely without any authentication. The Payload gets triggered when an Admin visits the settings page of the plugin.

Edit (WPScanTeam): The plugin is still affected and has been closed.
Proof of Concept
Vulnerable code is from lines 68 to 84. The code gets the value of option `bm_row_amount` from database and matches it with the GET request `row_amount`. If they do not match then it updates the option `bm_row_amount` with the provided GET value. If you follow the file batch.php from top, you may see that the mentioned code is not dependent of any pre condition i.e. checking if user is admin or csrf tokens etc. This means that anyone from outside can call following URL as an unauthenticated user and the option `bm_row_amount` will get updated."><script>alert(2)</script>

The GET variable `row_amount` can also be sent as POST to bypass firewall and it will still work.

The Payload will trigger on main settings page of the plugin (Posts > Move Categories).

Affects Plugin

no known fix
- plugin closed


Type XSS
OWASP Top 10 A7: Cross-Site Scripting (XSS)


Original Researcher Noman Riffat
Submitter Noman Riffat
Submitter Twitter @nomanriffat
Views 3833
Verified Yes
WPVDB ID 10032


Publicly Published 2020-01-19 (5 months ago)
Added 2020-01-19 (5 months ago)
Last Updated 2020-02-13 (4 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin