Seriously Simple Podcasting < 3.3.0 – Admin+ Stored XSS | CVE 2024-3751

Description

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Proof of Concept

1. In the plugin's onboarding screen: https://example.com/wp-admin/admin.php?page=ssp-onboarding-1 Enter the payload `Test<img src=1 onerror=alert(1)>` in the field "What's the name of your show?"
2. Finish the onboarding
3. Add a new episode: https://example.com/wp-admin/post-new.php?post_type=podcast and associate it with the "Test" podcast from step 1
4. Select "Audio" and Upload an image for the episode file
5. Save the episode and view to see the XSS

Note: The XSS can only be exploited during the initial onboarding flow