WordPress Plugin Vulnerabilities
Outdated php-mod/curl Library - Unauthenticated Reflected Cross-Site Scripting (XSS)
Description
The original submission stated that the HT Slider Range for Amazon affiliates plugin for WordPress had a reflected XSS vulnerability. After investigation (WPScanTeam), the cause was found to be test files from the php-mod/curl library, which was missing appropriate response headers before outputting user input. We contacted the vendor of the library, which issued a fix (v2.3.2) within a few hours. In the meantime, the entire WordPress plugins repository was scanned for the affected files and 4 additional plugins were identified to be affected as well
Proof of Concept
https://<lib-location>/tests/server/php-curl-test/post_file_path_upload.php?key=%3cimg%20src%20onerror%3dalert(%27XSS%27)%3e curl -X POST -i --data '<script>alert(/XSS/)</script>' https://<lib-location>/tests/server/php-curl-test/post_multidimensional.php
Affects Plugins
Fixed in version 1.1.6
No known fix - plugin closed
Fixed in version 2.1.0 - plugin closed
Fixed in version 3.0.3
No known fix - plugin closed
References
Classification
Miscellaneous
Original Researcher
Frank Liauw
Submitter
Frank Liauw
Submitter website
Submitter twitter
Verified
Yes
Timeline
Publicly Published
2021-04-16 (about 1 years ago)
Added
2021-04-16 (about 1 years ago)
Last Updated
2021-04-19 (about 1 years ago)