WordPress Plugin Vulnerabilities
Helpful < 4.4.59 - Admin+ Stored Cross-Site Scripting
Description
The plugin does not sanitise and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
Proof of Concept
Put the following payload in the System > Miscellaneous > Custom Timezone setting of the plugin: "><details open ontoggle="alert(/XSS/)"> The XSS will be triggered when viewing the settings page Put the following payload "><details open ontoggle="alert(/XSS/)"> in Texts > Before Voting / After Voting / Answer Buttons / Admin Columns > Feedback settings The XSS will be triggered when viewing a post/page where with the Helpful Widget is displayed, or after a vote depending on the vulnerable field/s used Put the following payload in the Feedback > Messages: "><details open ontoggle="alert(/XSS/)"> The plugin fixes from 4.4.56 to 4.4.58 were insufficient as not escaping data when output in attributes, allowing for payloads such as " style=animation-name:rotation onanimationstart=alert(/XSS/)//
Affects Plugins
Fixed in version 4.4.59
References
Classification
Miscellaneous
Original Researcher
Mika
Submitter
Mika
Submitter website
Submitter twitter
Verified
Yes
Timeline
Publicly Published
2021-10-18 (about 8 months ago)
Added
2021-10-18 (about 8 months ago)
Last Updated
2022-04-09 (about 2 months ago)