WordPress Plugin Vulnerabilities
WP Comments Fields < 4.1 - Admin+ Stored Cross-Site Scripting
Description
The plugin does not escape Field Error Message, which could allow high-privileged users to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
Proof of Concept
Create/edit a Comment Fields (Comments > Comment Fields) and put the following payload in the Error Message setting: "autofocus onfocus=alert(/XSS/)// The XSS will be triggered in any post
Affects Plugins
Fixed in version 4.1
References
Classification
Miscellaneous
Original Researcher
Rafshanzani Suhada
Submitter
Rafshanzani Suhada
Verified
Yes
Timeline
Publicly Published
2022-07-14 (about 6 months ago)
Added
2022-07-14 (about 6 months ago)
Last Updated
2022-07-14 (about 6 months ago)