Clean Login < 1.13.7 – Contributor+ Stored XSS via Shortcode | CVE 2022-4838 | Plugin Vulnerabilities

Description

The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins.

Proof of Concept

Note: 

1. First, you need to check “Choose the role(s) in the registration form?” in Clean Login Settings. 

2. The form and the exploit only work and appear if you are not logged in to the website.

Exploit shortcode:

[clean-login-register role='" onmouseover="alert(1)" style="display:block !important; background:red;"']

Affects Plugins

Fixed in 1.13.7

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Lana Codes

Submitter

Lana Codes

Submitter website

https://lana.codes/

Submitter twitter

Verified

Yes

WPVDB ID

9937e369-60e8-451c-8790-1a83a59115fc

Timeline

Publicly Published

2023-01-10 (about 1 years ago)

Added

2023-01-10 (about 1 years ago)

Last Updated

2023-01-10 (about 1 years ago)

Other

Published

Title

Published

2024-03-22

Title

SEOPress – On-site SEO < 7.6 - Author+ Stored Cross-Site Scripting

Published

2020-05-04

Title

wpForo < 1.7.0 - Reflected Cross-Site Scripting (XSS) via langid Parameter

Published

2022-11-09

Title

Car Rental by BestWebSoft <= 1.1.2 - Admin+ Stored XSS

Published

2019-06-26

Title

WP Ultimate Recipe <= 3.12.6 - Authenticated Stored XSS

Published

2022-10-10

Title

Newspaper < 12 - Reflected Cross-Site Scripting