WP-Lister Lite for Amazon < 2.4.4 – Reflected XSS | CVE 2022-4369 | Plugin Vulnerabilities

Description

The plugin does not sanitize and escapes a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which can be used against high-privilege users such as admin.

Proof of Concept

1. Install and activate WooCommerce (dependency, no setup required)
2. Install and activate the vulnerable plugin (wp-lister-for-amazon 2.4.2)

Make a logged-in admin and open the following URL:

https://example.com/wp-admin/admin.php?page=wpla-settings&tab=accounts&spapi_oauth_code=x&selling_partner_id=xxx"><script>alert(`xss`)</script>

Affects Plugins

wp-lister-for-amazon

Fixed in 2.4.4

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

cydave

Submitter

cydave

Submitter website

https://cyllective.com/

Submitter twitter

Verified

Yes

WPVDB ID

460a01e5-7ce5-4d49-b068-a93ea1fba0e3

Timeline

Publicly Published

2022-12-09 (about 1 years ago)

Added

2022-12-09 (about 1 years ago)

Last Updated

2022-12-09 (about 1 years ago)

Other

Published

Title

Published

2014-08-01

Title

drp-coupon <= 2.1 - XSS in ZeroClipboard

Published

2022-10-18

Title

Chat Bubble < 2.3 - Unauthenticated Stored Cross-Site Scripting

Published

2014-08-01

Title

GRAND Flash Album Gallery < 1.67 - Reflected Cross-Site Scripting

Published

2023-01-03

Title

Blockonomics < 3.5.8 - Reflected Cross-Site Scripting

Published

2022-12-07

Title

GC Testimonials <= 1.3.2 - Contributor+ Stored XSS