WordPress Plugin Vulnerabilities
Pardakht Delkhah < 2.9.3 - Unauthenticated Stored XSS
Description
The plugin does not sanitise and escape some parameters, allowing unauthenticated attackers to send a request with XSS payloads, which will be triggered when a high privilege users such as admin visits a page from the plugin.
Proof of Concept
1. Install and activate WoocCommerce (dependency, no configuration required) 2. Install the vulnerable plugin (pardakht-delkhah 2.9.2) 3. Under plugin's menu, "Custom payment" > "Gateway Settings", hit the save button to set the default gateway. 4. Invoke the following curl request to store two XSS payloads (both of which will trigger an alert box: curl http://localhost:10008/wp-admin/admin-ajax.php \ --data 'action=cupri_action&cupri_fmobile=981111111111&cupri_fprice="><script>alert(`xss1`)</script>&cupri_f0="><script>alert(`xss2`)</script>' 5. The XSS will be triggered when an admin navigates to the plugin's menu (/wp-admin/edit.php?post_type=cupri_pay)
Affects Plugins
References
CVE
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
cydave
Submitter
cydave
Submitter website
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-12-27 (about 1 years ago)
Added
2022-12-27 (about 1 years ago)
Last Updated
2022-12-27 (about 1 years ago)