WordPress Plugin Vulnerabilities

Testimonials Widget < 4.0.0 - Multiple Authenticated Stored XSS

Description

Multiple cross-site scripting vulnerabilities in Testimonials Widget 3.5.1 and lower allow remote attackers to inject arbitrary Javascript code or HTML via the below parameters:

- Author
- Job Title
- Location
- Company
- Email
- URL

Successful exploitation of this vulnerability would allow an authenticated medium-privileged user (contributor+) to inject arbitrary Javascript code or HTML. The script is executed for all users visiting the website. Note: testimonials added via by a contributor, go through a manual review process.

May 9th, 2020 - Confirmed & Escalated to WP Plugins Team
May 11th, 2020 - WP Plugins Team Investigating
July 3rd, 2020 - No updates, releasing.
July 12th, 2020 - v4.0.0 released, fixing the issues.

Proof of Concept

1. Download and install "Testimonials Widget 3.5.1" from https://wordpress.org/plugins/testimonials-widget/

2. Go into "Testimonials" tab from the sidebar and create a new testimonials by clicking on the "Add New" button

3. Enter testimonial's name, content. In "Author", "Job Title", "Location", "Company", "URL" fields of "Testimonial Data", input an XSS vector, For example:

<script>alert(document.domain)</script>

4. Save the changes and click on "Submit for Review" (if roles is Contributor) or "Publish" (if roles is Author or Editor).

5. By visiting permalink, ex: http://example.com/?testimonials-widget=<name-of-testimonial> or by visiting posts that have embedded shortcodes (Ex: [testimonials limit=5 paging=true char_limit=0]), the JavaScript code injected would be executed.

The problem lied in files at "templates/" folder, where plugin echos user input values without sanitizing:

Ex: testimonials-widget/templates/span-author.php

<?php
global $tw_template_args;

$testimonial = $tw_template_args['testimonial'];

$author = empty( $testimonial['testimonial_author'] ) ? $testimonial['testimonial_source'] : $testimonial['testimonial_author'];
?>
<span class="author"><?php echo $author; ?></span>

Affects Plugins

Plugin icon
testimonials-widget
Fixed in 4.0.0

References

CVE
CVE-2021-24136

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.5 (medium)

Miscellaneous

Original Researcher
Nguyen Anh Tien - SunCSR (Sun* Cyber Security Research)
Submitter
Nguyen Anh Tien
Submitter website
https://research.sun-asterisk.com/en
Verified
Yes
WPVDB ID
537ee410-3833-4e88-9d4a-ee3c72b44ca1

Timeline

Publicly Published
2020-07-03 (about 3 years ago)
Added
2020-07-03 (about 3 years ago)
Last Updated
2021-01-23 (about 3 years ago)

Other

Published
Title
Published
2015-08-11
Title
iframe < 4.0 - Unauthenticated Reflected Cross-Site Scripting (XSS)
Published
2024-03-29
Title
Favorites < 2.3.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Published
2024-03-12
Title
Sky Addons for Elementor < 2.5.0 - Authenticated(Contributor+) Stored Cross-site scripting via Wrapper Link URL
Published
2023-06-05
Title
Catalyst Connect Zoho CRM Client Portal < 2.1.0 - Reflected XSS
Published
2019-08-10
Title
PPOM for WooCommerce <= 18.3 - Authenticated Stored XSS