Klaviyo <= 3.0.10 – Admin+ Stored XSS | CVE 2023-0874 | Plugin Vulnerabilities

Description

The plugin does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Proof of Concept

1. Go to Klaviyo Settings, and at Klaviyo Settings in thePublic API Key field, put: "autofocus onfocus=alert(1)//
2. Submit and the alert will trigger.

Affects Plugins

Fixed in 3.0.10

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Rafshanzani Suhada

Submitter

Rafshanzani Suhada

Submitter website

https://0xshdax.github.io

Submitter twitter

Verified

Yes

WPVDB ID

495e39db-793d-454b-9ef1-dd91cae2c49b

Timeline

Publicly Published

2023-03-20 (about 1 years ago)

Added

2023-03-20 (about 1 years ago)

Last Updated

2023-03-20 (about 1 years ago)

Other

Published

Title

Published

2023-06-20

Title

Contact Form by WPForms < 1.8.1.3 - Reflected XSS

Published

2021-10-19

Title

Advanced Access Manager < 6.8.0 - Admin+ Stored Cross-Site Scripting

Published

2023-12-07

Title

WP Project Manager < 2.6.9 - Subscriber+ Stored XSS

Published

2023-11-28

Title

Currency Converter Calculator < 1.3.2 - Contributor+ Stored XSS

Published

2017-05-31

Title

WP No External Links <= 3.5.18 – Authenticated Cross-Site Scripting (XSS)