WordPress Plugin Vulnerabilities

Shortcodes and extra features for Phlox theme < 2.9.8 - Reflected Cross-Site-Scripting

Description

The plugin does not sanitise and escape a parameter before outputting it back in the response, leading to a Reflected Cross-Site Scripting

Proof of Concept

1. Install and activate the plugin's dependencies:
    + Phlox (install and active it - theme can be found @ https://wordpress.org/themes/phlox/ )
    + WooCommerce (no setup required)
2. Install the vulnerable plugin (auxin-elements)
3. Visit the following URL to trigger an alert box:

https://example.com/wp-admin/admin-ajax.php?action=aux_the_recent_products&data[wp_query_args][post_type]=post&data[title]=%3Cscript%3Ealert(`xss`);%3C/script%3E

Note: The `data[wp_query_args][post_type]=post` parameter is used to query for posts instead of products to avoid an empty response as no products have been created beforehand. If there are products in the database, this parameter can be removed.

Affects Plugins

Plugin icon
auxin-elements
Fixed in 2.9.8

References

CVE
CVE-2022-1910

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
cydave
Submitter
cydave
Submitter website
https://cyllective.com/
Submitter twitter
cyllective
Verified
Yes
WPVDB ID
8afe1638-66fa-44c7-9d02-c81573193b47

Timeline

Publicly Published
2022-06-20 (about 1 years ago)
Added
2022-06-20 (about 1 years ago)
Last Updated
2023-03-23 (about 1 years ago)

Other

Published
Title
Published
2021-06-25
Title
Event Espresso Core < 4.10.7.p - Reflected Cross-Site Scripting (XSS)
Published
2023-04-04
Title
Outdoor < 3.9.7 - Reflected XSS
Published
2017-07-31
Title
Event List < 0.7.10 - XSS
Published
2023-05-10
Title
Tiny carousel horizontal slider plus <= 3.2 - Admin+ Stored XSS
Published
2021-04-08
Title
Stop Spammers < 2021.9 - Reflected Cross-Site Scripting (XSS)