Best Contact Management Software < 3.8 – Admin+ Stored Cross-Site Scripting | CVE 2022-2151 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

Proof of Concept

Put the following payload in the "No Access Message" settings (/wp-admin/admin.php?page=wp_easy_contact_settings&tab=misc): <script>alert(/XSS/);</script>

The XSS will be triggered when someone access any quote without enough privileges

Affects Plugins

wp-easy-contact

Fixed in 3.8

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Benachi

Submitter

Benachi

Submitter twitter

Verified

Yes

WPVDB ID

7c08e4c1-57c5-471c-a990-dcb9fd7ce0f4

Timeline

Publicly Published

2022-06-21 (about 1 years ago)

Added

2022-06-21 (about 1 years ago)

Last Updated

2023-07-07 (about 10 months ago)

Other

Published

Title

Published

2022-08-22

Title

Classima < 2.1.11 - Reflected Cross-Site Scripting

Published

2021-12-06

Title

Site Reviews < 5.17.3 - Unauthenticated Stored Cross-Site Scripting

Published

2021-09-28

Title

Flat Preloader < 1.5.5 - Admin+ Stored Cross-Site Scripting

Published

2023-07-19

Title

Art Decoration Shortcode <= 1.5.6 - Contributor+ Stored XSS

Published

2022-12-23

Title

ProfilePress < 4.5.1 - Admin+ Stored Cross-Site Scripting