ConvertKit < 2.0.5 – Contributor+ Stored XSS | CVE 2022-4508 | Plugin Vulnerabilities

Description

The plugin does not validate and escapes some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as a contributor to perform Stored Cross-Site Scripting attacks, which could be used against high-privilege users such as admins.

Proof of Concept

Exploit: [convertkit_product product='1' text='XSS' text_color='red" onmouseover="alert(1)"']

Note: The exploit requires registering on the CoverKit website, entering the API key in the settings, adding a product, and entering the CoverKit product id in the shortcode. The product can also be a draft; it does not need to be published.

Affects Plugins

Fixed in 2.0.5

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Lana Codes

Submitter

Lana Codes

Submitter website

https://lana.codes/

Submitter twitter

Verified

Yes

WPVDB ID

5101a979-7a53-40bf-8988-6347ef851eab

Timeline

Publicly Published

2022-12-23 (about 1 years ago)

Added

2022-12-26 (about 1 years ago)

Last Updated

2022-12-26 (about 1 years ago)

Other

Published

Title

Published

2021-06-28

Title

Yada Wiki < 3.4.1 - Contributor+ Stored XSS

Published

2014-08-01

Title

XEN Carousel < 0.12.2 - XSS vulnerabilities in xencarousel-admin.js.php via path or ajaxpath parameter

Published

2022-11-19

Title

Quizlord <= 2.0 - Admin+ Stored XSS

Published

2017-06-02

Title

Spiffy Calendar < 3.3.0 - Reflected Cross-Site Scripting (XSS)

Published

2024-03-13

Title

Contact Form by BestWebSoft < 4.2.9 - Reflected Cross-Site Scripting via cntctfrm_contact_address