Easy Table of Contents < 2.0.66 – Admin+ Stored XSS | CVE 2024-5573 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as editors to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed

Proof of Concept

You should create new post with two more heading. Go to the settings of the plugin and change "ez-toc-settings[heading_text_tag]" field to "Malicious JS code eval() and etc. For example img src=x onerror=alert(1)" -> Save Settings (Admins and editors are allowed to use JS in posts/pages/comments/etc, so the unfiltered_html capability should be disallowed when testing for Stored XSS using such roles)

Affects Plugins

easy-table-of-contents

Fixed in 2.0.66

References

CVE

URL

https://research.cleantalk.org/cve-2024-5573/

YouTube Video

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Dmitrii Ignatyev

Submitter

Dmitrii Ignatyev

Submitter website

https://www.linkedin.com/in/dmitriy-ignatyev-8a9189267/

Verified

Yes

WPVDB ID

3b01044b-355f-40d3-8e11-23a890f98c76

Timeline

Publicly Published

2024-06-05 (about 25 days ago)

Added

2024-06-05 (about 24 days ago)

Last Updated

2024-06-18 (about 11 days ago)

Other

Published

Title

Published

2024-03-16

Title

RegistrationMagic < 5.2.6.0 - Reflected Cross-Site Scripting

Published

2015-06-25

Title

WordPress Landing Pages <= 1.8.7 - Unspecified Cross-Site Scripting (XSS)

Published

2022-08-22

Title

Classima < 2.1.11 - Reflected Cross-Site Scripting

Published

2014-08-01

Title

timelineoptinpro - XSS

Published

2024-02-09

Title

Brooklyn <= 4.9.7.6 - Reflected Cross-Site Scripting