WordPress Plugin Vulnerabilities
WP Attachments < 5.0.5 - Admin+ Stored Cross-Site Scripting
Description
The plugin does not sanitize and escapes some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example, in multisite setup).
Proof of Concept
Inject an XSS payload in the title by going to Settings » WP Attachments » Settings » List Head. Now, inject XSS payload & HTML injection (<h2> myavatar<script>alert(2)</script>) in the uploaded image Title in Media Library. Now, after opening the Post page, the browser renders the XSS payload of the attachment title and image title. The HTML injection rendered as <h2> can be seen in source code. WordPress doesn’t execute the payload of the image name in the media, it only gets executed by the wp-attachment in the post.
Affects Plugins
References
CVE
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Mariah Almotlag
Submitter
Mariah Almotlag
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-10-18 (about 1 years ago)
Added
2022-10-18 (about 1 years ago)
Last Updated
2022-10-18 (about 1 years ago)