WordPress Plugin Vulnerabilities
PlanSo Forms <= 2.6.3 - Authenticated Stored Cross-Site Scripting
Description
The plugin does not escape the title of its Form before outputting it in attributes, allowing high privilege users such as admin to set XSS payload in it, even when the unfiltered_html is disallowed, leading to an Authenticated Stored Cross-Site Scripting issue.
Timeline
July 12th, 2021 - Vendor notified via email
August 2nd, 2021 - Escalated to WP Plugins team due to unresponsive vendor
September 15th, 2021 - No update, public disclosure
Proof of Concept
Put the payload below in a Form Title, then view the Form List page (/wp-admin/admin.php?page=ps-form-builder) or the related Form to trigger the XSS " style="animation-name:rotation" onanimationstart="alert(/XSS/)//
Affects Plugins
References
CVE
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Felipe Restrepo Rodriguez
Submitter
Felipe Restrepo Rodriguez
Submitter website
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-09-15 (about 2 years ago)
Added
2021-09-15 (about 2 years ago)
Last Updated
2022-04-08 (about 2 years ago)