WordPress Plugin Vulnerabilities

VK All in One Expansion Unit < 9.87.1.0 - Reflected XSS

Description

The plugin does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers

Proof of Concept

Make a logged in admin open the below URL using web browser which does not encode characters

https://example.com/wp-admin/admin.php?page=vkExUnit_css_customize&b="><svg/onload=alert(/XSS/)>

Affects Plugins

Plugin icon
vk-all-in-one-expansion-unit
Fixed in 9.87.1.0

References

CVE
CVE-2023-0937

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
4.2 (medium)

Miscellaneous

Original Researcher
Erwan LR (WPScan)
Verified
Yes
WPVDB ID
5110ff02-c721-43eb-b13e-50aca25e1162

Timeline

Publicly Published
2023-02-23 (about 1 years ago)
Added
2023-02-23 (about 1 years ago)
Last Updated
2023-02-23 (about 1 years ago)

Other

Published
Title
Published
2023-12-27
Title
Restaurant Reservations < 1.9 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2021-09-28
Title
WP Reactions Lite < 1.3.6 - Authenticated Stored Cross Site Scripting
Published
2010-11-01
Title
Cforms <= 13.1 - 'lib_ajax.php' Cross-Site Scripting (XSS)
Published
2014-08-01
Title
Optinfirex - lp/index.php id Parameter Reflected XSS
Published
2023-02-02
Title
EZP Coming Soon Page < 1.0.7.4 - Admin+ Stored XSS