WordPress Plugin Vulnerabilities

Event List < 0.8.8 - Admin+ Stored Cross-Site Scripting

Description

The plugin does not sanitise and escape some of its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks against other admin even when the unfiltered_html is disallowed

Proof of Concept

Put the following payload in the "iCal link text" Feed Settings of the plugin (/wp-admin/edit.php?post_type=el_events&page=el_admin_settings&tab=feed): "><img src onerror=alert(/XSS/)>

General > Text for no events settings also affected

Affects Plugins

Plugin icon
event-list
Fixed in 0.8.8

References

CVE
CVE-2022-0418

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.4 (low)

Miscellaneous

Original Researcher
Akash Rajendra Patil
Submitter
Akash Rajendra Patil
Submitter website
https://akashpatil.me
Submitter twitter
skypatil98
Verified
Yes
WPVDB ID
74888a9f-fb75-443d-bb85-0120cbb764a0

Timeline

Publicly Published
2022-04-05 (about 2 years ago)
Added
2022-04-05 (about 2 years ago)
Last Updated
2022-04-18 (about 2 years ago)

Other

Published
Title
Published
2023-01-10
Title
YourChannel: Everything you want in a YouTube plugin < 1.2.3 - Contributor+ Stored XSS via Shortcode
Published
2024-03-28
Title
Landing Page Builder < 1.5.1.8 - Authenticated (Editor+) Stored Cross-Site Scripting
Published
2014-08-01
Title
Zingiri Forum 1.4.2 - forum.php zing_forum_output Function url Parameter XSS
Published
2021-04-08
Title
WorkScout Core < 1.3.4 - Authenticated Stored XSS & XFS
Published
2014-08-01
Title
WP Photo Album Plus - wp-admin/admin.php edit_id Parameter XSS