123.chat < 1.3.1 – Admin+ Stored XSS | CVE 2023-4298

Description

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Proof of Concept

In the plugin's "User-ID" setting field, enter the payload:

"></script><script>alert("XSS")</script>

Save the changes and see the XSS.

Affects Plugins

123-chat-videochat

Fixed in 1.3.1

References

CVE

CVE-2023-4298

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

3.5 (low)

Miscellaneous

Original Researcher

Jonatas Souza Villa Flor

Submitter

Jonatas Souza Villa Flor

Submitter website

https://decriptosec.com/

Submitter twitter

0xp1p3

Verified

Yes

WPVDB ID

36285052-8464-4fd6-b4b1-c175e730edad

Timeline

Publicly Published

2023-08-14 (about 9 months ago)

Added

2023-08-14 (about 9 months ago)

Last Updated

2023-08-14 (about 9 months ago)

Other

Published

Title

Published

2009-07-29

Title

Google Analyticator < 5.2.1 - XSS

Published

2010-12-07

Title

Twitter Feed < 1.0 - XSS

Published

2014-04-25

Title

Style It <= 1.0 - XSS

Published

2024-04-18

Title

Save as PDF < 3.2.0 - Admin+ Stored XSS

Published

2022-08-29

Title

Zephyr Project Manager < 3.2.5 - Unauthorised REST Calls to Stored XSS