Sola Support Ticket <= 3.12 – XSS & Configuration Change | CVE 2016-11012 | Plugin Vulnerabilities

Description

Any logged in user with any role and access to wp-admin in any way can update plugin settings including allowing HTML to be parsed. One can also change any notification messages to include JS which then can be used to obtain information by forgery.

Proof of Concept

Make POST request to /wp-admin with parameters

sola_st_save_settings:1
sola_st_settings_allow_html:1
sola_st_settings_thank_you_text:<script>alert(1);</script>

Affects Plugins

sola-support-tickets

Fixed in 3.13

References

CVE

URL

https://plugins.trac.wordpress.org/changeset?old_path=%2Fsola-support-tickets%2Ftags%2F3.12&old=1350554&new_path=%2Fsola-support-tickets%2Ftags%2F3.13&new=1350554&sfp_email=&sfph_mail=

Miscellaneous

Submitter

Justin Greer

Submitter website

http://justin-greer.com

Submitter twitter

justingreer2014

Verified

No

WPVDB ID

5a1143ff-65b0-404f-be63-86b3e5d775df

Timeline

Publicly Published

2016-01-28 (about 10 years ago)

Added

2016-02-14 (about 10 years ago)

Last Updated

2020-09-22 (about 5 years ago)

Other

Published

Title

Published

2020-10-02

Title

WordPress + Microsoft Office 365 < 11.7 - JWT Signature Verification Bypass

Published

2018-03-02

Title

NextGEN Gallery < 2.2.50 - Galley Paths Not Secured

Published

2015-12-14

Title

Admin Management Xtended <= 2.4.0 - Privilege Escalation

Published

2014-06-26

Title

JSON REST API 1.1 - JSONP SOP Bypass

Published

2022-07-11

Title

YOP Poll < 6.4.3 - IP Spoofing