ShopLentor < 2.5.4 – Contributor+ Stored XSS | CVE 2023-0231 | Plugin Vulnerabilities

Description

The plugin does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

Proof of Concept

As a contributor, add a "WL : FAQ" Gutenberg block to a post, and put the following payload in the "Additional CSS class(es)" advance settings of the block:

" onmouseover="alert(/XSS/)" style="background:red;"

The payload will be triggered when viewing/previewing the post and moving the mouse over the red block.

Note: A Template Builder needs to be present (one can be created by an admin at /wp-admin/edit.php?post_type=woolentor-template)

Affects Plugins

woolentor-addons

Fixed in 2.5.4

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Lana Codes

Submitter

Lana Codes

Submitter website

https://lana.codes/

Submitter twitter

Verified

Yes

WPVDB ID

533c19d5-219c-4389-a8bf-8b3a35b33b20

Timeline

Publicly Published

2023-01-28 (about 1 years ago)

Added

2023-01-28 (about 1 years ago)

Last Updated

2023-01-28 (about 1 years ago)

Other

Published

Title

Published

2023-03-21

Title

Lazy Social Comments < 2.0.5 - Admin+ Stored Cross-Site Scripting

Published

2024-04-25

Title

OneClick Chat to Order < 1.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2019-10-02

Title

Download Plugins and Themes from Dashboard < 1.6.0 - Unauthenticated Stored XSS

Published

2019-05-16

Title

Toggle The Title <= 1.4 - XSS

Published

2023-06-12

Title

WPForms Google Sheet Connector < 3.4.6 - Reflected XSS