Chatbot < 4.7.8 – Admin+ Stored XSS in Language Settings | CVE 2023-4254 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Proof of Concept

1. In the plugin settings, select "WPBot Lite > Settings > Change Language" 
2. Select "FAQ" and in the "Welcome to FAQ Section" enter the payload `<script>alert(2)</script>`
3. Access the FAQ on the frontend to see XSS.

Affects Plugins

Fixed in 4.7.8

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Bob Matyas

Submitter

Bob Matyas

Submitter website

https://www.bobmatyas.com

Submitter twitter

Verified

Yes

WPVDB ID

0dfffe48-e60d-4bab-b194-8a63554246c3

Timeline

Publicly Published

2023-08-08 (about 10 months ago)

Added

2023-08-08 (about 10 months ago)

Last Updated

2023-08-08 (about 10 months ago)

Other

Published

Title

Published

2019-08-04

Title

Rencontre < 3.2 - Authenticated Stored XSS via textmail & textanniv Parameters

Published

2024-05-06

Title

WordPress Affiliates Plugin — SliceWP Affiliates < 1.1.11 - Authenticated (Admin+) Stored Cross-Site Scripting

Published

2021-10-25

Title

Video Lessons Manager - Admin+ Stored Cross-Site Scripting

Published

2023-01-03

Title

MediaElement.js – HTML5 Video & Audio Player <= 4.2.8 - Contributor+ Stored XSS via Shortcode

Published

2021-09-29

Title

Modern Events Calendar Lite < 5.22.3 - Authenticated Stored Cross Site Scripting