WordPress Plugin Vulnerabilities
Testimonials Widget < 4.0.0 - Multiple Authenticated Stored XSS
Description
Multiple cross-site scripting vulnerabilities in Testimonials Widget 3.5.1 and lower allow remote attackers to inject arbitrary Javascript code or HTML via the below parameters:
- Author
- Job Title
- Location
- Company
- Email
- URL
Successful exploitation of this vulnerability would allow an authenticated medium-privileged user (contributor+) to inject arbitrary Javascript code or HTML. The script is executed for all users visiting the website. Note: testimonials added via by a contributor, go through a manual review process.
May 9th, 2020 - Confirmed & Escalated to WP Plugins Team
May 11th, 2020 - WP Plugins Team Investigating
July 3rd, 2020 - No updates, releasing.
July 12th, 2020 - v4.0.0 released, fixing the issues.
Proof of Concept
1. Download and install "Testimonials Widget 3.5.1" from https://wordpress.org/plugins/testimonials-widget/ 2. Go into "Testimonials" tab from the sidebar and create a new testimonials by clicking on the "Add New" button 3. Enter testimonial's name, content. In "Author", "Job Title", "Location", "Company", "URL" fields of "Testimonial Data", input an XSS vector, For example: <script>alert(document.domain)</script> 4. Save the changes and click on "Submit for Review" (if roles is Contributor) or "Publish" (if roles is Author or Editor). 5. By visiting permalink, ex: http://example.com/?testimonials-widget=<name-of-testimonial> or by visiting posts that have embedded shortcodes (Ex: [testimonials limit=5 paging=true char_limit=0]), the JavaScript code injected would be executed. The problem lied in files at "templates/" folder, where plugin echos user input values without sanitizing: Ex: testimonials-widget/templates/span-author.php <?php global $tw_template_args; $testimonial = $tw_template_args['testimonial']; $author = empty( $testimonial['testimonial_author'] ) ? $testimonial['testimonial_source'] : $testimonial['testimonial_author']; ?> <span class="author"><?php echo $author; ?></span>
Affects Plugins
References
CVE
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Nguyen Anh Tien - SunCSR (Sun* Cyber Security Research)
Submitter
Nguyen Anh Tien
Submitter website
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2020-07-03 (about 3 years ago)
Added
2020-07-03 (about 3 years ago)
Last Updated
2021-01-23 (about 3 years ago)