Easy Table of Contents < 2.0.66 – Admin+ Stored XSS | CVE 2024-5573 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as editors to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed

Proof of Concept

You should create new post with two more heading. Go to the settings of the plugin and change "ez-toc-settings[heading_text_tag]" field to "Malicious JS code eval() and etc. For example img src=x onerror=alert(1)" -> Save Settings (Admins and editors are allowed to use JS in posts/pages/comments/etc, so the unfiltered_html capability should be disallowed when testing for Stored XSS using such roles)

Affects Plugins

easy-table-of-contents

Fixed in 2.0.66

References

CVE

URL

https://research.cleantalk.org/cve-2024-5573/

YouTube Video

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Dmitrii Ignatyev

Submitter

Dmitrii Ignatyev

Submitter website

https://www.linkedin.com/in/dmitriy-ignatyev-8a9189267/

Verified

Yes

WPVDB ID

3b01044b-355f-40d3-8e11-23a890f98c76

Timeline

Publicly Published

2024-06-05 (about 1 year ago)

Added

2024-06-05 (about 1 year ago)

Last Updated

2024-06-18 (about 1 year ago)

Other

Published

Title

Published

2024-04-03

Title

WooCommerce Customers Manager < 29.8 - Reflected XSS

Published

2024-04-16

Title

WP Stripe Checkout < 1.2.2.42 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Published

2023-12-05

Title

Smart External Link Click Monitor [Link Log] <= 5.0.2 - Reflected Cross-Site Scripting

Published

2017-05-16

Title

WP Booking System < 1.4 - Authenticated Stored Cross-Site Scripting (XSS)

Published

2025-01-06

Title

Crelly Slider < 1.4.7 - Admin+ Stored XSS