WordPress Plugin Vulnerabilities

WP Attachments < 5.0.5 - Admin+ Stored Cross-Site Scripting

Description

The plugin does not sanitize and escapes some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example, in multisite setup).

Proof of Concept

Inject an XSS payload in the title by going to Settings » WP Attachments » Settings » List Head.

Now, inject XSS payload & HTML injection (<h2> myavatar<script>alert(2)</script>) in the uploaded image Title in Media Library.

Now, after opening the Post page, the browser renders the XSS payload of the attachment title and image title.

The HTML injection rendered as <h2> can be seen in source code. WordPress doesn’t execute the payload of the image name in the media, it only gets executed by the wp-attachment in the post.

Affects Plugins

Plugin icon
wp-attachments
Fixed in 5.0.5

References

CVE
CVE-2022-3469

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.4 (low)

Miscellaneous

Original Researcher
Mariah Almotlag
Submitter
Mariah Almotlag
Verified
Yes
WPVDB ID
017ca231-e019-4694-afa2-ab7f8481ae63

Timeline

Publicly Published
2022-10-18 (about 1 years ago)
Added
2022-10-18 (about 1 years ago)
Last Updated
2022-10-18 (about 1 years ago)

Other

Published
Title
Published
2023-01-03
Title
Survey Maker < 3.1.4 - Unauthenticated Stored XSS
Published
2023-11-07
Title
Solid Central < 3.0.1 - Stored Cross-Site Scripting via packages
Published
2023-06-23
Title
PostX - Gutenberg Blocks for Post Grid < 2.9.10 - Reflected Cross-Site Scripting
Published
2024-04-04
Title
Elementor Addons, Widgets and Enhancements – Stax <= 1.4.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2016-03-17
Title
Bulletproof Security <= .53.2 - Multiple Cross Site Scripting Vulnerabilities