Maspik – Advanced Spam protection < 2.1.3 – Admin+ Stored XSS | CVE 2024-9182 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed.

Proof of Concept

1. Go to the Maspik Spam Plugin tab
2. Go to the blacklist options section. 
3. In the "General" section, add the payload `123123"onmouseover='alert(1)'` for the "Default validation error message".
4. Save and move your mouse over the default validation message input field to see the XSS.

Affects Plugins

contact-forms-anti-spam

Fixed in 2.1.3

References

CVE

URL

https://research.cleantalk.org/CVE-2024-9182/

YouTube Video

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Krugov Artyom

Submitter

Krugov Aryom

Submitter website

https://research.cleantalk.org

Verified

Yes

WPVDB ID

40007323-d684-430d-a882-8b4dfb76172b

Timeline

Publicly Published

2024-08-13 (about 1 year ago)

Added

2024-10-02 (about 1 year ago)

Last Updated

2024-10-02 (about 1 year ago)

Other

Published

Title

Published

2024-04-05

Title

Gradient Text Widget for Elementor <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-04-24

Title

Awesome Wp Image Gallery <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-08-28

Title

SureCart < 2.29.4 - Reflected Cross-Site Scripting

Published

2024-03-25

Title

Shortlinks by Pretty Links < 3.6.3 - Reflected Cross-Site Scripting via post_status

Published

2023-11-07

Title

Q2W3 Post Order <= 1.2.8 - Reflected Cross-Site Scripting