WordPress Plugin Vulnerabilities

Calculated Fields Form < 1.1.151 - Admin+ Stored Cross-Site Scripting via Dropdown Fields

Description

The plugin does not sanitise and escape some of its form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Partial fixes were implemented in versions 1.1.148, 1.1.150, and 1.1.151.

Proof of Concept

The following steps work on version 1.1.147, before any partial fixes.

1. Go to the "Calculated Fields Form" page in WP Admin.
2. Under "New Form", add an "Item Name" and choose "From Template".
3. Choose the template "DropDown fields with Images" and click "Use It".
4. Click on the first field (`fieldname1`) and in the Field Settings sidebar on the left, change the `Text` field on one of the choices to `<img src="x" onerror=alert(/XSS/)>`.
5. After saving , either preview the Form, or view a post/page with the form embed to trigger the XSS

Affects Plugins

Plugin icon
calculated-fields-form
Fixed in 1.1.151

References

CVE
CVE-2023-0389

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (low)

Miscellaneous

Original Researcher
Numan Rajkotiya
Submitter
Numan Rajkotiya
Submitter twitter
nmmcon
Verified
Yes
WPVDB ID
090a3922-febc-4294-82d2-d8339d461893

Timeline

Publicly Published
2023-01-17 (about 1 years ago)
Added
2023-02-22 (about 1 years ago)
Last Updated
2023-02-22 (about 1 years ago)

Other

Published
Title
Published
2024-01-29
Title
SEO Plugin by Squirrly SEO < 12.3.16 - Admin+ Stored XSS
Published
2023-12-23
Title
FOX – Currency Switcher Professional for WooCommerce < 1.4.1.7 - Subscriber+ Stored XSS
Published
2023-11-07
Title
Seo By 10Web <= 1.2.9 - Reflected XSS
Published
2021-08-13
Title
2Way VideoCalls and Random Chat < 5.2.8 - Reflected Cross-Site Scripting
Published
2023-10-31
Title
Admin Bar & Dashboard Control < 1.2.9 - Authenticated (Administrator+) Stored Cross-Site Scripting