WordPress Plugin Vulnerabilities
Request a Quote < 2.3.9 - Admin+ Stored Cross-Site Scripting
Description
The plugin does not sanitise, validate or escape some of its settings in the admin dashboard, leading to authenticated Stored Cross-Site Scripting issues even when the unfiltered_html capability is disallowed.
The issue was initially fixed in 2.3.5 but re-introduced and the latest 2.3.7 is affected again
Proof of Concept
As admin, put the below payloads in the related vulnerable field/s and save them (there is some validation done client side for the Maximum fields, but won't be done server side, so either repeat the request with the payloads, or inject the fields in the web browser and change them to text type) Affected fields and related payloads: - Base Slug (request_a_quote_ent_map_list[emd_quote][rewrite]): '><script>alert(/XSS/)</script> Attachments Section - Maximum files (request_a_quote_ent_map_list[emd_quote][max_files][emd_contact_attachment]): "><script>alert(/XSS/)</script> - Maximum file size (request_a_quote_ent_map_list[emd_quote][max_file_size][emd_contact_attachment]): "><script>alert(/XSS/)</script> - Allowed file extensions (request_a_quote_ent_map_list[emd_quote][file_exts][emd_contact_attachment]): </textarea><script>alert(/XSS/)</script> The XSS will be triggered when viewing a Quote in the "All Quotes" dashboard, as well as in the Quote form in the frontend
Affects Plugins
Fixed in 2.3.9 References
CVE
YouTube Video
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Submitter
YoshiKen
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-09-21 (about 2 years ago)
Added
2021-09-21 (about 2 years ago)
Last Updated
2023-04-04 (about 1 years ago)
WPScan 