WordPress Plugin Vulnerabilities
WP phpMyAdmin < 5.2.0.4 - Admin+ Stored Cross-Site Scripting
Description
The plugin does not escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed (for example in multisite setup)
Proof of Concept
Put the following payload in the "phpMyAdmin on hosting" settings (/wp-admin/admin.php?page=wp-phpmyadmin-extension) of the plugin: "autofocus onfocus=alert(/XSS/)//
Affects Plugins
Fixed in version 5.2.0.4
References
Classification
Miscellaneous
Original Researcher
Raad Haddad of Cloudyrion GmbH
Submitter
Raad Haddad of Cloudyrion GmbH
Submitter twitter
Verified
Yes
Timeline
Publicly Published
2022-08-01 (about 10 months ago)
Added
2022-08-01 (about 10 months ago)
Last Updated
2023-05-01 (about 27 days ago)