WordPress Plugin Vulnerabilities
Strong Testimonials < 3.1.12 - Contributor+ Stored XSS
Description
The plugin does not validate and escape some of its Testimonial fields before outputting them back in a page/post, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. The attack requires a specific view to be performed
Proof of Concept
Setup (as admin): - Create a view (/wp-admin/edit.php?post_type=wpm-testimonial&page=testimonial-views) - In the "Custom Fields" section, click on the "Full Name" and set "Display Type" to "link(must be URL type)" - Save the view, and put its shortcode (eg [testimonial_view id="1"]) in a post/page As Contributor: - add a testimonial, set the Full Name to 123"onmouseover='alert(/XSS/)' - Submit the testimonial for review (or publish it if using an Author+ role) Once the testimonial is approved/published, the XSS will be triggered in the post where the view is embed and a user move the mouse over the generated testimonial link. The attack could also be done via an Author role, to not have to wait for an admin to approve the testimonial.
Affects Plugins
Fixed in 3.1.12 References
Classification
Type
XSS
OWASP top 10
CWE
Miscellaneous
Original Researcher
Dmitrii Ignatyev
Submitter
Dmitrii Ignatyev
Submitter website
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2024-04-03 (about 1 months ago)
Added
2024-04-03 (about 1 months ago)
Last Updated
2024-04-17 (about 1 months ago)
WPScan 