MM-email2image <= 0.2.5 – Contributor+ Stored XSS | CVE 2024-3075

Description

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

Proof of Concept

Add the following payload to a post:

```
[e2i color='red" onmouseover="alert(/XSS/)"' size="3" bgcolor="0044AA" trans="NO"] text [/e2i]
```

Affects Plugins

mm-email2image

No known fix

References

CVE

CVE-2024-3075

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

Miscellaneous

Original Researcher

Bob Matyas

Submitter

Bob Matyas

Submitter website

https://www.bobmatyas.com

Submitter twitter

bobmatyas

Verified

Yes

WPVDB ID

450375f6-a9d4-49f6-8bab-867774372795

Timeline

Publicly Published

2024-04-05 (about 1 months ago)

Added

2024-04-05 (about 1 months ago)

Last Updated

2024-04-05 (about 1 months ago)

Other

Published

Title

Published

2024-05-13

Title

Sydney Toolbox < 1.32 - Authenticated (Contributor+) Stored Cross-Site Scripting via aThemes: Portfolio Widget

Published

2022-11-17

Title

Ezoic < 2.8.9 - Admin+ Stored XSS

Published

2022-10-24

Title

Auto Upload Images < 3.3.1 - Admin+ Stored Cross-Site Scripting

Published

2024-03-29

Title

pageMash > Page Management <= 1.3.0 - Reflected Cross-Site Scripting

Published

2023-11-16

Title

Jetpack < 12.8-a.3 - Contributor+ Stored XSS via block attribute