WordPress Plugin Vulnerabilities

RSS for Yandex Turbo < 1.30 - Authenticated Stored Cross-Site Scripting (XSS)

Description

The plugin did not properly sanitise the user inputs from its Счетчики settings tab before outputting them back in the page, leading to authenticated stored Cross-Site Scripting issues

Proof of Concept

As admin, Navigate to Setting >> Яндекс.Турбо >> Счетчики and enter a payload such as " onmouseover="alert(1) into all the six user input fields and submit the request.

You will observe that the payloads got successfully stored into the database and when you move the mouse cursor over these fields the JavaScript payloads get executed successfully and we get a pop-up.

Better payload (WPScanTeam): " style="animation-name:rotation" onanimationstart="alert(/XSS/)

The following fields are vulnerable to Stored Sross-Site Scripting :
Яндекс.Метрика
LiveInternet
Google Analytics
Рейтинг Mail.Ru
Rambler Топ-100
Mediascope (TNS)

Affects Plugins

Plugin icon
rss-for-yandex-turbo
Fixed in 1.30

References

CVE
CVE-2021-24277

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.6 (medium)

Miscellaneous

Original Researcher
Himamshu Dilip Kulkarni
Submitter
Himamshu Dilip Kulkarni
Submitter twitter
DilipHimamshu
Verified
Yes
WPVDB ID
8ebf56be-46c0-4435-819f-dc30370eafa4

Timeline

Publicly Published
2021-04-21 (about 3 years ago)
Added
2021-04-21 (about 3 years ago)
Last Updated
2021-04-22 (about 3 years ago)

Other

Published
Title
Published
2017-05-11
Title
User Access Manager <= 2.0.8 - Authenticated Reflected Cross-Site Scripting (XSS)
Published
2022-09-14
Title
Notice Board <= 1.1 - Contributor+ Stored Cross-Site Scripting
Published
2023-05-12
Title
WPCS – WordPress Currency Switcher Professional < 1.2.0 - Contributor+ Stored Cross-Site Scripting
Published
2017-07-24
Title
Popup Maker <= 1.6.4 - Authenticated Cross-Site Scripting (XSS)
Published
2024-03-18
Title
Passwordless Login < 1.1.3 - Authenticated (Subscriber+) Stored Cross-Site Scripting