WordPress Plugin Vulnerabilities

CDI < 5.1.9 - Reflected Cross-Site-Scripting

Description

The plugin does not sanitise and escape a parameter before outputting it back in the response of an AJAX action (available to both unauthenticated and authenticated users), leading to a Reflected Cross-Site Scripting

Proof of Concept

https://example.com/wp-admin/admin-ajax.php?action=cdi_collect_follow&trk=%3Cscript%3Ealert(`xss`)%3C/script%3E

Note: PHP must be configured with --enable-soap as the plugin appears to import 'SoapClient', which when not found produces an error while installing the plugin.

Affects Plugins

Plugin icon
collect-and-deliver-interface-for-woocommerce
Fixed in 5.1.9

References

CVE
CVE-2022-1933

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
cydave
Submitter
cydave
Submitter website
https://cyllective.com/
Submitter twitter
cyllective
Verified
Yes
WPVDB ID
6cedb27f-6140-4cba-836f-63de98e521bf

Timeline

Publicly Published
2022-06-21 (about 1 years ago)
Added
2022-06-21 (about 1 years ago)
Last Updated
2023-03-26 (about 8 months ago)

Other

Published
Title
Published
2022-07-18
Title
Inspiro Premium < 7.2.3 - Contributor+ Stored Cross-Site Scripting
Published
2014-08-01
Title
Quick Paypal Payments 3.0 - Payment Sending Multiple Parameter XSS
Published
2023-01-20
Title
WP Google Map < 4.4.0 - Editor+ Stored XSS
Published
2014-08-01
Title
1-flash-gallery <= 1.9.0 - XSS in ZeroClipboard.swf
Published
2023-02-15
Title
Eyes Only: User Access Shortcode <= 1.8.2 - Admin+ Stored XSS