The plugin does not sanitise and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
Put the following payload in the System > Miscellaneous > Custom Timezone setting of the plugin: "><details open ontoggle="alert(/XSS/)"> The XSS will be triggered when viewing the settings page Put the following payload "><details open ontoggle="alert(/XSS/)"> in Texts > Before Voting / After Voting / Answer Buttons / Admin Columns > Feedback settings The XSS will be triggered when viewing a post/page where with the Helpful Widget is displayed, or after a vote depending on the vulnerable field/s used Put the following payload in the Feedback > Messages: "><details open ontoggle="alert(/XSS/)"> The plugin fixes from 4.4.56 to 4.4.58 were insufficient as not escaping data when output in attributes, allowing for payloads such as " style=animation-name:rotation onanimationstart=alert(/XSS/)//
Mika
Mika
Yes
2021-10-18 (about 1 years ago)
2021-10-18 (about 1 years ago)
2022-04-09 (about 1 years ago)