Telugu Bible Verse Daily <= 1.0 - CSRF to Stored XSS

Vulnerability

The Telugu Bible Verse Daily WordPress plugin through version 1.0 lacks a Cross-Site Request Forgery (CSRF) check when saving its settings and verses. Additionally, it fails to sanitize or escape these values when outputting them back in the page. This combination allows an attacker to inject arbitrary JavaScript code into the plugin's settings or verse content, leading to stored Cross-Site Scripting (XSS) [1].

Exploitation

An attacker can craft a malicious link or page that, when visited by a logged-in administrator, triggers a CSRF request to change the plugin's settings or add a new verse containing JavaScript. No authentication or special privileges are required beyond tricking the admin into performing the action. The injected script is then stored and executed whenever the affected page is loaded [1].

Impact

Successful exploitation results in stored XSS, allowing the attacker to execute arbitrary JavaScript in the context of the WordPress admin panel. This can lead to session hijacking, defacement, or further compromise of the site, depending on the attacker's payload and the admin's privileges [1].

Mitigation

As of the reference publication, no fix is available for this vulnerability. The plugin appears to be abandoned (last updated 2021). Users are advised to remove or replace the plugin with an alternative that receives security updates. No workaround is provided [1].