Ultimate Carousel For WPBakery Page Builder <= 2.6 – Contributor+ Stored XSS | CVE 2023-0267

Description

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

The plugin author was made aware of this vulnerability on Jan 13, 2023.

Proof of Concept

Exploit shortcode:

[na_posts_carousel slide_visible_mbl='" onmouseover="alert(1)" style="background:red;"']

Affects Plugins

ultimate-carousel-for-visual-composer

No known fix

References

CVE

CVE-2023-0267

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

6.8 (medium)

Miscellaneous

Original Researcher

Lana Codes

Submitter

Lana Codes

Submitter website

https://lana.codes/

Submitter twitter

LanaCodes

Verified

Yes

WPVDB ID

7ba7849d-e07b-465a-bfb7-10c8186be140

Timeline

Publicly Published

2023-04-17 (about 1 years ago)

Added

2023-04-17 (about 1 years ago)

Last Updated

2023-04-17 (about 1 years ago)

Other

Published

Title

Published

2024-03-21

Title

Gutenberg Blocks by Kadence Blocks – Page Builder Features < 3.2.26 - Contributor+ Stored XSS

Published

2024-04-16

Title

WP Club Manager < 2.2.12 - Authenticated (Player+) Stored Cross-Site Scripting

Published

2023-04-12

Title

Cloud Manager <= 1.0 - Reflected XSS

Published

2023-02-13

Title

Announce from the Dashboard < 1.5.2 - Admin+ Stored XSS

Published

2021-08-09

Title

Tutor LMS < 1.9.6 - Reflected Cross-Site Scripting