PubyDoc <= 2.0.6 – Admin+ Stored XSS | CVE 2023-4970 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed

Proof of Concept

1) After the installing the plugin, create a new table at /wp-admin/admin.php?page=pyt-tables&tab=tables-new, and insert the following malicious XSS payload in its "Title" field: `"><img src=x onerror=confirm(1)>`

2) Save the payload, and notice the injection alert() box popping up when viewing the full list of tables in `/wp-admin/admin.php?page=pyt-tables&tab=tables`

Affects Plugins

pubydoc-data-tables-and-charts

No known fix

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Vaishnav Rajeevan

Submitter

Vaishnav Rajeevan

Submitter website

https://twitter.com/vaishnavrajeev6

Submitter twitter

vaishnavrajeev6

Verified

Yes

WPVDB ID

845bbfdd-fe9f-487c-91a0-5fe10403d8a2

Timeline

Publicly Published

2023-10-27 (about 2 years ago)

Added

2023-10-27 (about 2 years ago)

Last Updated

2023-10-27 (about 2 years ago)

Other

Published

Title

Published

2024-07-17

Title

vCita Online Booking & Scheduling Calendar < 4.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2016-02-10

Title

OptionTree < 2.6.0 - Authenticated Cross-Site Scripting (XSS)

Published

2014-08-01

Title

Choices - Unspecified XSS

Published

2023-09-01

Title

HollerBox < 2.3.3 - Admin+ Stored XSS

Published

2024-04-16

Title

Otter Blocks < 2.6.10 - Contributor+ Stored XSS via titleTag