Exploit Author: Muhammad Zeeshan (Xib3rR4dAr)
Vulnerable Plugin: Simple Banner
Plugin Slug: simple-banner
Active Plugin Installations: 50,000+
Vulnerable Version: <= 2.11.0 (latest version as of discovery)
Tested on: Wordpress v6.0.1
Vulnerability: Authenticated Stored XSS
Discovery date: July 19, 2022
Fix: Update plugin to version 2.12.0 or higher
Login as admin and visit: http://127.0.0.1/wp-admin/admin.php?page=simple-banner-settings
>> In "Activation Code" field enter XSS payload as HoverHere" onmouseover=alert(1) a
>> Click Save Changes
Stored XSS will trigger when any user having ability to manage "Simple Banner" visits: http://127.0.0.1/wp-admin/admin.php?page=simple-banner-settings and hovers on "Activation Code" text box.
User input is escaped by escaping quotes with backslash, that doesnot prevent XSS in html context. Instead, user input should be sanitized or HTML entities be encoded before displaying to user.
This vulnerability can be exploited by any user with any role even by subscriber if subscriber is given permissions to use the plugin. Therefore a subscriber user can exploit XSS to perform actions on behalf of other users.
Furthermore plugin has option to allow users of any role to access "Simple Banner" plugin. Other vulnerability classified as problematic is that, when using the plugin, an admin can allow any role to access the plugin.
Expected behavior of feature: Role would be able to access "Simple Banner" plugin only
Actual Behavior: Role can access other plugins also other than "Simple Banner".
Admin would think that role would only be able to access "Simple Banner" but the role in actual would be able to access other plugins also since it adds capability of managing roles to users.
Before allowing subscriber to access "Simple banner": (No plugin accessible to a user with subscriber role)
After allowing subscriber to access "Simple banner": (Plugins other than "Simple Banner" also accessible to subscriber)