Social comments by WpDevArt < 2.5.0 – Admin+ Stored Cross-Site Scripting | CVE 2022-0876 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when unfiltered_html is disallowed

Proof of Concept

Put the following payload in any of the plugin's text field settings (such as Title , Title font-size etc): "><svg onload=prompt(1)//

Then save and reload the settings to trigger the XSS. The XSS will also trigger in pages/posts where the plugin's shortcode is embed

Affects Plugins

comments-from-facebook

Fixed in 2.5.0

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Mika

Submitter

Mika

Submitter website

https://mikadmin.fr/

Submitter twitter

Verified

Yes

WPVDB ID

73be6e92-ea37-4416-977d-52ee2afa022a

Timeline

Publicly Published

2022-04-04 (about 2 years ago)

Added

2022-04-04 (about 2 years ago)

Last Updated

2022-04-09 (about 2 years ago)

Other

Published

Title

Published

2023-10-16

Title

User Registration < 3.0.4.2 - Admin+ Stored XSS

Published

2014-11-26

Title

Google Analytics by Yoast <= 5.1.2 Cross-Site Scripting (XSS)

Published

2014-08-01

Title

Repagent - dewplayer-vinyl-en.swf xml Parameter XML File H&ling XSS

Published

2021-08-10

Title

Custom Post View Generator <= 0.4.6 - Reflected Cross-Site Scripting

Published

2021-03-17

Title

Elementor < 3.1.4 - Authenticated Stored Cross-Site Scripting (XSS) in Divider Widget