WordPress Diagnosis Generator Plugin Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the WordPress Diagnosis Generator plugin, affecting versions through 1.4.16. The issue arises from inadequate authorization checks and poor input sanitization in the 'themeFunc()' function, which is triggered during the 'admin_init' phase. This allows any authenticated user, including those with subscriber-level access, to inject malicious JavaScript into theme files. The vulnerability is exacerbated by the 'save()' function's use of 'stripslashes()', which removes WordPress's magic quotes protection, enabling the execution of injected scripts whenever a user accesses a page with the diagnosis form shortcode.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the affected page.

Reproduction

To reproduce this vulnerability, an authenticated user with subscriber-level access can send a POST request to the 'diagnosis-generator-theme.php' page. The request must include the 'theme_name' parameter, the 'js' parameter with the malicious JavaScript payload, and the '_wpnonce' parameter for nonce verification. Once the theme file is saved, the injected script will execute when the diagnosis form shortcode is accessed on a page.