All-in-One WP Migration <= 6.97 - Authenticated Cross-Site Scripting (XSS)



Description
An attacker would already have to be able to either compromise the database or gain access to a user account with high enough privileges to view the backup history, so some damage has already been done, but such an attacker could then also insert some XSS in order to compromise other admin users.

When double-clicking the backup description on the backup history overview page, in order to edit the description text, the text is not sanitized/escaped via html entities when generating the input field.

This has been reported to the plugin author on 2 July 2019 and confirmed to be fixed in version 7.0 on 17 July 2019.
Proof of Concept
Browse to the backup history overview in the admin control panel and enter the following as the description text of a backup item. The JS will be executed the next time any admin user views that page:

"><script>alert("XSS!");</script>

Affects Plugin

fixed in version 7.0

References

URL https://plugins.trac.wordpress.org/changeset/2124441
URL https://wptavern.com/all-in-one-wp-migration-7-0-patches-xss-vulnerability

Classification

Type XSS
OWASP Top 10 A7: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Original Researcher Connum
Submitter Connum
Views 6763
Verified No
WPVDB ID 9461

Timeline

Publicly Published 2019-07-17 (3 months ago)
Added 2019-07-17 (3 months ago)
Last Updated 2019-07-23 (3 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin