WordPress Plugin Vulnerabilities

Chat Bubble < 2.3 - Unauthenticated Stored Cross-Site Scripting

Description

The plugin does not sanitise and escape some contact parameters, which could allow unauthenticated attackers to set Stored Cross-Site Scripting payloads in them, which will trigger when an admin view the related contact message

Proof of Concept

Setup:
- In the General Settings of the plugin, check the "Show Chat Bubble at website" checkbox and save.
- In the "Bubble Items" enable the "Simple CallBack" and save.

Attacker (unauthenticated):
- Access the blog and click on the contact bubble.
- In any of the offered fields (fname or fphone), enter the following payload and click "Submit": <script>alert(/XSS/)</script>

The XSS will be triggered when an admin will view the related Callback Message via the Callback dashboard (/wp-admin/edit.php?post_type=cbb_callback => /wp-admin/post.php?post=21&action=edit)

Affects Plugins

Plugin icon
chat-bubble
Fixed in 2.3

References

CVE
CVE-2022-3415

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.5 (high)

Miscellaneous

Original Researcher
Juampa Rodríguez
Submitter
Juampa Rodríguez
Submitter website
https://infayer.com/
Submitter twitter
und3sc0n0c1d0
Verified
Yes
WPVDB ID
012c5b64-ef76-4539-afd8-40f6c329ae88

Timeline

Publicly Published
2022-10-18 (about 1 years ago)
Added
2022-10-18 (about 1 years ago)
Last Updated
2022-10-19 (about 1 years ago)

Other

Published
Title
Published
2024-01-10
Title
EventON (Free < 2.2.8, Premium < 4.5.5) - Reflected XSS
Published
2016-08-01
Title
Booking Calendar <= 6.2 - Reflected Cross-Site Scripting (XSS)
Published
2024-03-29
Title
WooCommerce Bookings Calendar <= 1.0.36 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2023-01-02
Title
Qubely < 1.8.5 - Contributor+ Stored XSS
Published
2024-03-16
Title
Inline Related Posts < 3.5.0 - Admin+ Stored XSS