Page Builder: Live Composer < 1.5.23 – Contributor+ Stored XSS via Shortcode | CVE 2022-4669

Description

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

Proof of Concept

[dslc_notification color='red" onmouseover="alert(1)"']

Affects Plugins

live-composer-page-builder

Fixed in 1.5.23

References

CVE

CVE-2022-4669

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

6.8 (medium)

Miscellaneous

Original Researcher

Lana Codes

Submitter

Lana Codes

Submitter website

https://lana.codes/

Submitter twitter

LanaCodes

Verified

Yes

WPVDB ID

79f011e4-3422-4307-8736-f27048796aae

Timeline

Publicly Published

2023-01-24 (about 1 years ago)

Added

2023-01-24 (about 1 years ago)

Last Updated

2023-02-28 (about 1 years ago)

Other

Published

Title

Published

2023-08-14

Title

User Submitted Posts < 20230811 - Unauthenticated Stored XSS

Published

2023-04-24

Title

Advanced Youtube Channel Pagination <= 1.0 - Reflected XSS

Published

2023-11-30

Title

Quiz Maker < 6.4.9.5 - Reflected Cross-Site Scripting

Published

2014-08-01

Title

Zopim Live Chat <= 1.2.5 - XSS in ZeroClipboard

Published

2022-06-01

Title

Icegram < 2.1.8 - Contributor+ Stored Cross-Site Scripting