Remove Footer Credit < 1.0.6 - CSRF to Stored Cross-Site Scripting

Vulnerability

The Remove Footer Credit WordPress plugin versions before 1.0.6 lack a Cross-Site Request Forgery (CSRF) check when saving its settings. Additionally, the plugin does not sanitize the input, allowing the injection of arbitrary HTML and JavaScript. This combination enables a CSRF-to-Stored XSS attack [1].

Exploitation

An attacker must trick a logged-in administrator into visiting a malicious page or clicking a crafted link that submits a request to the plugin's settings page. Since there is no CSRF token validation, the attacker can force the admin to change the plugin settings, such as the footer credit text, to include malicious JavaScript. The attacker does not need any authentication themselves, but the victim must have administrative privileges [1].

Impact

Successful exploitation results in stored cross-site scripting (XSS). The injected script executes in the context of the admin's browser when they view the plugin settings or any page where the footer credit is displayed. This could allow the attacker to perform actions on behalf of the admin, steal session cookies, or deface the site. The impact is limited to the privileges of the victim admin [1].

Mitigation

The plugin version 1.0.6 adds a CSRF check, but the sanitization is incomplete—only script tags are removed, leaving other XSS vectors possible. Therefore, updating to 1.0.6 mitigates the CSRF issue but does not fully resolve the stored XSS vulnerability. A separate advisory exists for the remaining XSS issue. No other workarounds are documented. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog [1].