Hubbub Lite < 1.32.0 – Admin+ Stored XSS | CVE 2023-7154 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Proof of Concept

As admin, enable the 'Floating Sidebar' (/wp-admin/admin.php?page=dpsp-toolkit), then put the payload below in the 'Twitter Username' Settings of the plugin, and enable the 'Add Twitter Username to all tweets' settings as well

"><img src=xss onerror=alert('XSS') />

The XSS will be triggered when accessing the Floating Sidebar page (/wp-admin/admin.php?page=dpsp-sidebar)

Affects Plugins

Fixed in 1.32.0

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

Miscellaneous

Original Researcher

Tycho Niestadt

Submitter

Tycho Niestadt

Verified

Yes

WPVDB ID

0ed423dd-4a38-45e0-8645-3f4215a3f15c

Timeline

Publicly Published

2024-01-11 (about 4 months ago)

Added

2024-01-11 (about 4 months ago)

Last Updated

2024-01-11 (about 4 months ago)

Other

Published

Title

Published

2021-04-13

Title

WooLentor - WooCommerce Elementor Addons + Builder < 1.8.6 - Contributor+ Stored XSS

Published

2024-04-17

Title

Element Pack Elementor Addons < 5.6.1 - Contributor+ Stored XSS via Panel Slider Widget

Published

2017-07-24

Title

Simple Custom CSS and JS <= 3.3 - Authenticated Cross-Site Scripting (XSS)

Published

2023-01-17

Title

Judge.me Product Reviews for WooCommerce < 1.3.21 - Contributor+ Stored XSS

Published

2022-03-09

Title

WP HTML Mail < 3.1.3 - Reflected Cross-Site Scripting