Page Restriction WordPress < 1.2.7 – Admin+ Stored Cross-Site Scripting | CVE 2022-1027 | Plugin Vulnerabilities

Description

The plugin allows bad actors with administrator privileges to the settings page to inject Javascript code to its settings leading to stored Cross-Site Scripting that will only affect administrator users.

Proof of Concept

In Page/Post Access tab, Use XSS Payload as "><script>alert('XSS')</script> in any of the pages available.

XSS will be triggered at the plugin's admin panel.

Affects Plugins

page-and-post-restriction

Fixed in 1.2.7

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Niraj Mahajan

Submitter

Niraj Mahajan

Submitter website

https://www.linkedin.com/in/niraj1mahajan/

Submitter twitter

Verified

Yes

WPVDB ID

9dbb0d6d-bc84-4b85-8aa5-fa2a8e6fa5e3

Timeline

Publicly Published

2022-04-01 (about 2 years ago)

Added

2022-04-01 (about 2 years ago)

Last Updated

2022-04-09 (about 2 years ago)

Other

Published

Title

Published

2022-12-02

Title

WP Google Review Slider < 11.6 - Admin+ Stored XSS

Published

2019-07-17

Title

All-in-One WP Migration < 7.0 - Authenticated Cross-Site Scripting (XSS)

Published

2015-05-19

Title

Church Admin < 0.810 - Stored Cross-Site Scripting (XSS)

Published

2022-11-15

Title

Helloprint < 1.4.7 - Reflected Cross-Site Scripting

Published

2023-05-03

Title

OSM – OpenStreetMap <= 6.02 - Contributor+ Stored XSS via Shortcode