Shared Files < 1.7.6 – Unauthenticated Stored Cross-Site Scripting | CVE 2023-4819 | Plugin Vulnerabilities

Description

The plugin does not return the right Content-Type header for the specified uploaded file. Therefore, an attacker can upload an allowed file extension injected with malicious scripts.

Proof of Concept

Upload an allowed WordPress extension such as JPG and inject it with a script such as: <script>alert(1);</script>. To access the resource, the uploaded file ID can be seen in the source code of the (Preview) button under data-file-url as such: /shared-files/{FILE_ID}/?xss.jpg and can be triggered using HTTP://url.com/shared-files/{FILE_ID}/?xss.jpg

Affects Plugins

Fixed in 1.7.6

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Zeyad Alshahrani

Submitter

Zeyad Alshahrani

Submitter website

https://github.com/ViktaVaughn

Verified

Yes

WPVDB ID

4423b023-cf4a-46cb-b314-7a09ac08b29a

Timeline

Publicly Published

2023-09-21 (about 7 months ago)

Added

2023-09-21 (about 7 months ago)

Last Updated

2023-09-25 (about 7 months ago)

Other

Published

Title

Published

2024-05-07

Title

HT Mega – Absolute Addons For Elementor < 2.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Tooltip & Popover Widget

Published

2018-01-30

Title

WP Retina 2x < 5.2.3 - Cross-Site Scripting (XSS)

Published

2023-05-12

Title

WP Register Profile With Shortcode < 3.5.9 - Admin+ Stored XSS

Published

2024-01-23

Title

WordPress Button Plugin MaxButtons < 9.7.7 - Contributor+ Stored XSS

Published

2023-01-17

Title

YaMaps for WordPress Plugin < 0.6.26 - Contributor+ Stored XSS