BulletProof Security < 6.1 – Admin+ Stored Cross-Site Scripting | CVE 2022-1265 | Plugin Vulnerabilities

Description

The plugin does not sanitize and escape some of its CAPTCHA settings, which could allow high-privileged users to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed

Proof of Concept

With the plugin setup completed, as administrator, put the payload below in the BPS Security > JTC Lite > "Login Form: CAPTCHA Error message" field and tick the "Enable|Disable JTC For These Forms: " > "Login Form" as well
 
<style>@keyframes x{}</style><article style="animation-name:x" onanimationend="alert(/Stored XSS/)"></article>  

The XSS will be executed on the login page following an incorrect CAPTCHA entry.

Affects Plugins

bulletproof-security

Fixed in 6.1

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Fayçal CHENA

Submitter

Fayçal CHENA

Submitter website

https://fafachena.com

Submitter twitter

Verified

Yes

WPVDB ID

9b66819d-8479-4c0b-b206-7f7ff769f758

Timeline

Publicly Published

2022-04-19 (about 2 years ago)

Added

2022-04-19 (about 2 years ago)

Last Updated

2022-04-19 (about 2 years ago)

Other

Published

Title

Published

2014-11-03

Title

Post highlights 2.0-2.6 - Stored Cross-Site Scripting (XSS)

Published

2017-03-01

Title

Contact Form by BestWebSoft <= 4.0.1 - Stored Cross-Site Scripting (XSS)

Published

2023-09-19

Title

Widget Responsive for Youtube < 1.6.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Published

2023-01-19

Title

WP eBay Product Feeds < 3.4 - Admin+ Stored XSS

Published

2014-08-01

Title

XEN Carousel < 0.12.2 - XSS vulnerabilities in xencarousel-admin.js.php via path or ajaxpath parameter