How it works Pricing

Vulnerabilities

WordPress Plugins Themes Stats Submit vulnerabilities

For developers

Status API details CLI scanner

WordPress Plugin Vulnerabilities

Icegram < 2.1.8 - Contributor+ Stored Cross-Site Scripting

Description

The plugin does not sanitize and escape some campaign parameters, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks

Proof of Concept

Create/edit a campaign (such as a Black Friday one), check the "Use Opt-in / Subscription / Lead capture form" settings and put the following payload in the "message_data[6130][form_header]" and "message_data[6130][form_footer]" fields: <img src onerror=alert(/XSS/)>

The XSS will be triggered when viewing/previewing the campaign

Affects Plugins

Fixed in version 2.1.8

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

Miscellaneous

Original Researcher

Pritam Dash

Submitter

Pritam Dash

Verified

Yes

WPVDB ID

46ed56db-9b9d-4390-80fc-343a01fcc3c9

Timeline

Publicly Published

2022-06-01 (about 3 months ago)

Added

2022-06-01 (about 3 months ago)

Last Updated

2022-06-01 (about 3 months ago)

Our Other Services

WPScan WordPress Security Plugin