WordPress Plugin Vulnerabilities

WP OAuth Server < 4.2.2 - Admin+ Stored XSS

Description

The plugin does not sanitize and escape Client IDs, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Proof of Concept

Edit a client ("OAuth Server > Clients) and put the following payload in the "Client ID" field: "><script>alert(/XSS/)</script>

The XSS will be triggered in the Clients list, as well as when editing the client

v4.2.1 added sanitisation, but no escaping, so a payload like " style=animation-name:rotation onanimationstart=alert(/XSS/)// would work as well (but only be triggered when editing the client)

Affects Plugins

Plugin icon
oauth2-provider
Fixed in 4.2.2

References

CVE
CVE-2022-3892

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.4 (low)

Miscellaneous

Original Researcher
Lana Codes
Submitter
Lana Codes
Submitter website
https://lana.codes/
Submitter twitter
LanaCodes
Verified
Yes
WPVDB ID
33dddaec-a32a-4fce-89d6-164565be13e1

Timeline

Publicly Published
2022-11-08 (about 1 years ago)
Added
2022-11-08 (about 1 years ago)
Last Updated
2022-11-08 (about 1 years ago)

Other

Published
Title
Published
2023-01-19
Title
Camera slideshow <= 1.4.0.1 - Reflected Cross-Site Scripting
Published
2021-03-31
Title
Realteo < 1.2.4 - Unauthenticated Reflected Cross-Site Scripting (XSS)
Published
2024-04-26
Title
Form Maker by 10Web < 1.15.25 - Authenticated (Subscriber+) Stored Self-Based Cross-Site Scripting
Published
2020-04-02
Title
Contact Form 7 Datepicker <= 2.6.0 - Authenticated Stored Cross-Site Scripting (XSS)
Published
2021-07-08
Title
Grow Social < 1.19.0 - Reflected Cross-Site Scripting