WordPress Plugin Vulnerabilities

ActivityPub for WordPress < 1.0.0 - Contributor+ Stored XSS

Description

The plugin does not escape user metadata before outputting them in mentions, which could allow users with a role of Contributor and above to perform Stored XSS attacks

Proof of Concept

As a contributor, put the following payload in a post (the payload will have to be updated accordingly to watch the correct user and domain)

ahoy hoy @user@malicious-activitypub.site

The XSS will be trigged when viewing/previewing the post

Affects Plugins

Plugin icon
activitypub
Fixed in 1.0.0

References

CVE
CVE-2023-5057

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
Ben Bidner
Verified
Yes
WPVDB ID
58a63507-f0fd-46f1-a80c-6b1c41dddcf5

Timeline

Publicly Published
2023-09-25 (about 7 months ago)
Added
2023-09-25 (about 7 months ago)
Last Updated
2023-09-25 (about 7 months ago)

Other

Published
Title
Published
2024-03-25
Title
WP Directory Kit < 1.3.0 - Reflected Cross-Site Scripting
Published
2022-07-14
Title
Slide Anything < 2.3.47 - Author+ Cross Site Scripting in slide title
Published
2023-03-17
Title
WP Job Portal < 2.0.6 - Subscriber+ Stored XSS
Published
2021-09-09
Title
WooCommerce Payment Gateway Per Category <= 2.0.10 - Reflected Cross-Site Scripting
Published
2023-11-27
Title
Simple Long Form <= 2.2.2 - Authenticated (Administrator+) Stored Cross-Site Scripting