WordPress Plugin Vulnerabilities

Querlo Chatbot <= 1.2.4 - Stored Cross-Site Scripting

Description

The plugin does not escape or sanitize chat messages, leading to a stored Cross-Site Scripting vulnerability.

Proof of Concept

Submit the following in the chat message:

"#"><image src=/ onerror=alert("XSS")>"

See the XSS in Querlo.

Affects Plugins

Plugin icon
querlo-chatbots
No known fix

References

CVE
CVE-2023-3418

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
9.6 (critical)

Miscellaneous

Original Researcher
Rafael B.
Submitter
Rafael B.
Verified
Yes
WPVDB ID
407edb21-8fcb-484a-babb-fce96a6aede7

Timeline

Publicly Published
2023-06-26 (about 5 months ago)
Added
2023-06-26 (about 5 months ago)
Last Updated
2023-06-26 (about 5 months ago)

Other

Published
Title
Published
2021-06-09
Title
Advanced AJAX Product Filters < 1.5.4.7 - Unauthenticated Reflected Cross-Site Scripting (XSS)
Published
2014-08-01
Title
Mobiloud 1.9.0 - comments/disqus_count.php shortname Parameter Reflected XSS
Published
2018-06-04
Title
Advance Search for WooCommerce < 1.1 - Multiple XSS
Published
2022-10-10
Title
Rock Convert < 2.6.0 - Reflected Cross-Site Scripting
Published
2015-08-25
Title
Post video players <= 1.136 - Authenticated Stored Cross-Site Scripting (XSS)