PubyDoc <= 2.0.6 – Admin+ Stored XSS | CVE 2023-4970 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed

Proof of Concept

1) After the installing the plugin, create a new table at /wp-admin/admin.php?page=pyt-tables&tab=tables-new, and insert the following malicious XSS payload in its "Title" field: `"><img src=x onerror=confirm(1)>`

2) Save the payload, and notice the injection alert() box popping up when viewing the full list of tables in `/wp-admin/admin.php?page=pyt-tables&tab=tables`

Affects Plugins

pubydoc-data-tables-and-charts

No known fix

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Vaishnav Rajeevan

Submitter

Vaishnav Rajeevan

Submitter website

https://twitter.com/vaishnavrajeev6

Submitter twitter

vaishnavrajeev6

Verified

Yes

WPVDB ID

845bbfdd-fe9f-487c-91a0-5fe10403d8a2

Timeline

Publicly Published

2023-10-27 (about 6 months ago)

Added

2023-10-27 (about 6 months ago)

Last Updated

2023-10-27 (about 6 months ago)

Other

Published

Title

Published

2021-08-16

Title

WP Courses LMS < 2.0.44 - Reflected Cross-Site Scripting

Published

2019-02-05

Title

WP Live Chat Support < 8.0.18 - Cross-Site Scripting (XSS)

Published

2016-09-02

Title

Recipes Writer <= 1.0.4 - XSS

Published

2024-04-23

Title

Blocksy < 2.0.34 - Contributor+ Stored XSS

Published

2023-04-18

Title

BBSpoiler < 2.02 - Contributor+ Stored XSS