WordPress Plugin Vulnerabilities
WP Subtitle < 3.4.1 - Contributor+ Stored Cross-Site Scripting
Description
The plugin adds a subtitle field and provides a shortcode to display it via [wp_subtitle]. The subtitle is stored as a custom post meta with the key: "wps_subtitle", which is sanitized upon post save/update, however is not sanitized when updating it directly from the post meta update button (via AJAX) - and this makes the XSS exploitable by authenticated users with a role as low as contributor.
Proof of Concept
- Create a post as contributor+ with the following shortcode in it [wp_subtitle], save the post - Add a custom field named "wps_subtitle” with the following payload as value: <script>alert(/XSS/)</script> and save it **without** updating the post (from the custom fields meta box) - View/preview the post/page to trigger the XSS
Affects Plugins
Fixed in 3.4.1 References
CVE
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Francesco Carlucci
Submitter
Francesco Carlucci
Submitter website
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-04-25 (about 2 years ago)
Added
2022-04-25 (about 2 years ago)
Last Updated
2023-02-05 (about 1 years ago)
WPScan 