Sola Support Ticket <= 3.12 - XSS & Configuration Change



Description
Any logged in user with any role and access to wp-admin in any way can update plugin settings including allowing HTML to be parsed. One can also change any notification messages to include JS which then can be used to obtain information by forgery.
Proof of Concept
Make POST request to /wp-admin with parameters

sola_st_save_settings:1
sola_st_settings_allow_html:1
sola_st_settings_thank_you_text:<script>alert(1);</script>

Affects Plugin

fixed in version 3.13

References

URL https://wordpress.org/plugins/sola-support-tickets/changelog/
URL https://plugins.trac.wordpress.org/changeset?old_path=%2Fsola-support-tickets%2Ftags%2F3.12&old=1350554&new_path=%2Fsola-support-tickets%2Ftags%2F3.13&new=1350554&sfp_email=&sfph_mail=

Classification

Type BYPASS

Miscellaneous

Submitter Justin Greer
Submitter Website http://justin-greer.com
Submitter Twitter justingreer2014
Views 3727
Verified No
WPVDB ID 8389

Timeline

Publicly Published 2016-01-28 (over 3 years ago)
Added 2016-02-14 (over 3 years ago)
Last Updated 2016-02-14 (over 3 years ago)