WordPress Plugin Vulnerabilities

Campaign URL Builder < 1.8.2 - Contributor+ Stored XSS

Description

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

Proof of Concept

The shortcode need to be active (can be done via the Shortcode tab settings of the plugin), and a bitly API key set (can be a dummy one such as 'aaa') via the Advanced settings of the plugin

[Campaign-URL-Builder wrapper='" onmouseover="alert(/XSS/)"']

Other attributes were also affected (such as wrapper-inline-style, form-inline-style, input-class, form and custom_parameters)

Affects Plugins

Plugin icon
campaign-url-builder
Fixed in 1.8.2

References

CVE
CVE-2023-0538

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
Lana Codes
Submitter
Lana Codes
Submitter website
https://lana.codes/
Submitter twitter
LanaCodes
Verified
Yes
WPVDB ID
4869fdc7-4fc7-4917-bc00-b6ced9ccc871

Timeline

Publicly Published
2023-02-16 (about 1 years ago)
Added
2023-02-16 (about 1 years ago)
Last Updated
2023-02-16 (about 1 years ago)

Other

Published
Title
Published
2024-03-26
Title
Exclusive Addons Elementor < 2.6.9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2023-04-12
Title
hiWeb Migration Simple <= 2.0.0.1 Reflected Cross-Site Scripting
Published
2023-10-18
Title
WP Simple HTML Sitemap < 2.6 - Contributor+ Stored XSS
Published
2019-09-16
Title
Simple Fields <= 1.4.11 - Unauthenticated Stored Cross-Site Scripting (XSS)
Published
2023-01-25
Title
Auto Hide Admin Bar < 1.6.2 - Admin+ Stored XSS