Widgets for Google Reviews < 9.8 – Contributor+ Stored XSS | CVE 2022-4470

Description

The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins.

Proof of Concept

Exploit shortcode:

[trustindex data-widget-id="' onmouseover='alert(1)' style='background:red;width:300px;height:300px;"]

Affects Plugins

wp-reviews-plugin-for-google

Fixed in 9.8

References

CVE

CVE-2022-4470

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

6.8 (medium)

Miscellaneous

Original Researcher

Lana Codes

Submitter

Lana Codes

Submitter website

https://lana.codes/

Submitter twitter

LanaCodes

Verified

Yes

WPVDB ID

7c4e51b3-87ef-4afc-ab53-9a9bbdcfc9d7

Timeline

Publicly Published

2023-01-05 (about 1 years ago)

Added

2023-01-05 (about 1 years ago)

Last Updated

2023-01-05 (about 1 years ago)

Other

Published

Title

Published

2022-09-26

Title

Social Media Follow Buttons Bar <= 4.73 - Admin+ Stored XSS

Published

2023-05-11

Title

BuddyForms < 2.8.2 - Contributor+ Stored XSS

Published

2023-10-17

Title

User Feedback < 1.0.10 - Unauthenticated Stored XSS

Published

2020-03-05

Title

Contact Form by WPForms < 1.5.9 - Authenticated Cross-Site Scripting (XSS)

Published

2015-06-30

Title

NewStatPress <= 1.0.3 - Unauthenticated Stored Cross-Site Scripting (XSS)