Stored Cross-Site scripting (XSS) in Mass Pages/Posts Creator plugin <= 1.2.2

We see that any logged in user can launch Mass Pages/Posts creation with custom content. In this file mass-pages-posts-creator.php, this function mpc_ajax_action is hooked in to WordPress AJAX – wp_ajax_mpc_ajax_action and wp_ajax_nopriv_mpc_ajax_action. The thing is, there is no nonce and user capability check, so anyone can DDoS a site and create hundreds of thousands posts with custom content. It was very close for non authenticated user to launch this attack, but the developer made a typo with adding here: wp_ajax_nopriv`_mpc_ajax_action.

Proof Of Concept:

Leave a Reply

Your email address will not be published. Required fields are marked *