Exploit Author: Muhammad Zeeshan (Xib3rR4dAr)
Vulnerable Plugin: Google Tag Manager for WordPress
Vulnerable Version: <= 1.15.1
Vulnerability: Stored XSS
Vulnerable File: public/frontend.php#L:717
Vulnerable Code:
public/frontend.php#L:717
711: if ( $gtm4wp_options[ GTM4WP_OPTION_SCROLLER_ENABLED ] ) {
712: $_gtm_top_content .= '
713:
714: var gtm4wp_scrollerscript_debugmode = ' . ( $gtm4wp_options[ GTM4WP_OPTION_SCROLLER_DEBUGMODE ] ? 'true' : 'false' ) . ';
715: var gtm4wp_scrollerscript_callbacktime = ' . (int) $gtm4wp_options[ GTM4WP_OPTION_SCROLLER_CALLBACKTIME ] . ';
716: var gtm4wp_scrollerscript_readerlocation = ' . (int) $gtm4wp_options[ GTM4WP_OPTION_SCROLLER_DISTANCE ] . ';
717: var gtm4wp_scrollerscript_contentelementid = "' . $gtm4wp_options[ GTM4WP_OPTION_SCROLLER_CONTENTID ] . '";
718: var gtm4wp_scrollerscript_scannertime = ' . (int) $gtm4wp_options[ GTM4WP_OPTION_SCROLLER_READERTIME ] . ';';
719: }
Proof of Concept:
Login as admin and visit: http://127.0.0.1/wp-admin/options-general.php?page=gtm4wp-settings
>> Scroll Tracking
>> Enable Scroll Tracker
>> Set XSS payload in Content ID
>> Save Changes
Stored XSS will trigger when any user visits any page e.g:
http://127.0.0.1 ie Home Page
Fix:
public/frontend.php#L:717
var gtm4wp_scrollerscript_contentelementid = "' . esc_js($gtm4wp_options[ GTM4WP_OPTION_SCROLLER_CONTENTID ]) . '";
References:
https://blog.wpscan.com/why-admin-xss-is-a-valid-security-issue/