WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

WP Subtitle < 3.4.1 - Contributor+ Stored Cross-Site Scripting

Description

The plugin adds a subtitle field and provides a shortcode to display it via [wp_subtitle]. The subtitle is stored as a custom post meta with the key: "wps_subtitle", which is sanitized upon post save/update, however is not sanitized when updating it directly from the post meta update button (via AJAX) - and this makes the XSS exploitable by authenticated users with a role as low as contributor.

Proof of Concept

- Create a post as contributor+ with the following shortcode in it [wp_subtitle], save the post
- Add a custom field named "wps_subtitle” with the following payload as value: <script>alert(/XSS/)</script> and save it **without** updating the post (from the custom fields meta box)
- View/preview the post/page to trigger the XSS

Affects Plugins

wp-subtitle
Fixed in version 3.4.1

References

CVE
CVE-2022-1393

Classification

Type

XSS

OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher

Francesco Carlucci

Submitter

Francesco Carlucci

Submitter website
https://opencirt.com/
Submitter twitter
francecarlucci
Verified

Yes

WPVDB ID
3491b889-94dd-4507-9fed-58f48d8275cf

Timeline

Publicly Published

2022-04-25 (about 5 months ago)

Added

2022-04-25 (about 5 months ago)

Last Updated

2022-04-25 (about 5 months ago)

Our Other Services

WPScan WordPress Security Plugin