TextME SMS < 1.8.9 – Authenticated Stored XSS | Plugin Vulnerabilities

Description

The plugin does not escape its settings when outputting them, allowing high privilege users to perform XSS attacks even when the unfiltered_html capability is disallowed

Proof of Concept

Put the following payload in the Account Username or Password settings of the plugin: " style=animation-name:rotation onanimationstart=alert(/XSS/)//

The XSS will be triggered when accessing the settings page again

Affects Plugins

textme-sms-integration

Fixed in 1.8.9

References

URL

https://plugins.trac.wordpress.org/changeset/2577659

URL

https://plugins.trac.wordpress.org/changeset/2587023

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Verified

Yes

WPVDB ID

142ff815-5e14-405f-a1ab-69cb4fd79f84

Timeline

Publicly Published

2021-08-24 (about 4 years ago)

Added

2021-08-24 (about 4 years ago)

Last Updated

2021-08-24 (about 4 years ago)

Other

Published

Title

Published

2024-10-17

Title

Social Share With Floating Bar <= 1.0.3 - Reflected Cross-Site Scripting

Published

2025-01-14

Title

WP Bulletin Board <= 1.1.4 - Reflected Cross-Site Scripting

Published

2020-09-09

Title

LearnPress < 3.2.7.3 - CSRF & XSS

Published

2020-05-07

Title

Iframe < 4.5 - Authenticated Stored Cross Site Scripting (XSS)

Published

2025-01-06

Title

Quill Forms | The Best Typeform Alternative | Create Conversational Multi Step Form, Survey, Quiz, Cost Estimation or Donation Form on WordPress < 4.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting