WordPress Plugin OneSignal 1.17.5 Persistent Cross-Site Scripting

Title: WordPress Plugin OneSignal 1.17.5 Persistent Cross-Site Scripting
Advisory ID: ZSL-2019-5530
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 18.07.2019
Summary
OneSignal is a high volume and reliable push notification service for websites and mobile applications. We support all major native and mobile platforms by providing dedicated SDKs for each platform, a RESTful server API, and an online dashboard for marketers to design and send push notifications.
Description
The application suffers from an authenticated stored XSS via POST request. The issue is triggered when input passed via the POST parameter 'subdomain' is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
Vendor
iWT Ltd. - https://www.onesignal.com
Affected Version
1.17.5
Tested On
WordPress 5.2.2
Apache/2.4.39
PHP/7.1.30
Vendor Status
N/A
PoC
wordpress-onesignal-xss.html
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] https://wordpress.org/plugins/onesignal-free-web-push-notifications/
[2] https://www.exploit-db.com/exploits/47136
[3] https://packetstormsecurity.com/files/153682
[4] https://cxsecurity.com/issue/WLB-2019070091
[5] https://exchange.xforce.ibmcloud.com/vulnerabilities/164034
Changelog
[18.07.2019] - Initial release
[19.07.2019] - Added reference [3] and [4]
[24.07.2019] - Added reference [5]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk