Responsive Pricing Table < 5.1.11 – Author+ Stored XSS | CVE 2024-1333 | Plugin Vulnerabilities

Description

The plugin does not validate and escape some of its Pricing Table options before outputting them back in a page/post where the related shortcode is embed, which could allow users with the author role and above to perform Stored Cross-Site Scripting attacks

Proof of Concept

- Create a new Pricing Table
- Fill it with valid information, except for the "CSS classes", "Add custom code here" and "Button URL " sections
- Payloads:
  - CSS classes: " onmouseover='alert(/CSS/);'
  - Custom Code: <script>alert(/CustomCode/);</script>
  - Button URL: javascript:alert(/XSS/) (requires the Custom Code to be empty, and the '_rpt_open_newwindow' post meta to be anything other than 'newwindow')

Affects Plugins

dk-pricr-responsive-pricing-table

Fixed in 5.1.11

References

CVE

URL

https://research.cleantalk.org/cve-2024-1333/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

Miscellaneous

Original Researcher

Dmitrii Ignatyev

Submitter

Dmitrii Ignatyev

Submitter website

https://research.cleantalk.org

Verified

Yes

WPVDB ID

30546402-03b8-4e18-ad7e-04a6b556ffd7

Timeline

Publicly Published

2024-02-26 (about 2 months ago)

Added

2024-02-26 (about 2 months ago)

Last Updated

2024-03-11 (about 2 months ago)

Other

Published

Title

Published

2021-11-17

Title

Preview E-mails for WooCommerce < 2.0.0 - Reflected Cross-Site Scripting

Published

2022-01-18

Title

FeedWordPress < 2022.0123 - Reflected Cross-Site Scripting (XSS)

Published

2021-06-16

Title

WP Reset < 1.90 - Authenticated Stored XSS

Published

2024-04-26

Title

Filterable Portfolio <= 1.6.4 - Authenticated (Admin+) Stored Cross-Site Scripting

Published

2021-05-14

Title

WooCommerce Amazon Pay 2.0.0 - Reflected Cross-Site Scripting