WordPress Plugin Vulnerabilities

Bit Assist < 1.1.9 - Admin+ Stored Cross-Site Scripting

Description

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Proof of Concept

1. In the plugin's settings, click on Add Channel and select a custom channel.
2. Custom Channel link.
3. Paste/type javascript code `javascript:alert(document.cookie);`
4. Click on Save/Update
5. Open the site and click on the link to see the XSS.

Other vulnerable fields include:

- Custom Iframe - iFrame URL: `javascript:alert(document.cookie);`
- Gmap - Google maps embed code: `<img src=x onerror=confirm(/XSS/)>`
- FAQ -  FAQ Title: `<img src=x onerror=confirm(/XSS/)>`
- Knowledge base - Knowledge Base title: `<img src=x onerror=confirm(/XSS/)>`

Affects Plugins

Plugin icon
bit-assist
Fixed in 1.1.9

References

CVE
CVE-2023-3667

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (low)

Miscellaneous

Original Researcher
Dipak Panchal (th3.d1pak)
Submitter
Dipak Panchal (th3.d1pak)
Submitter twitter
DipakPanchal05
Verified
Yes
WPVDB ID
9f2f3f85-6812-46b5-9175-c56f6852afd7

Timeline

Publicly Published
2023-07-27 (about 11 months ago)
Added
2023-07-27 (about 11 months ago)
Last Updated
2023-07-27 (about 11 months ago)

Other

Published
Title
Published
2021-10-05
Title
Simple Download Monitor < 3.9.5 - Contributor+ Stored Cross-Site Scripting via File Thumbnail
Published
2022-08-01
Title
Social Slider Feed < 2.0.5 - Subscriber+ Arbitrary Feed Deletion
Published
2024-03-12
Title
Prime Slider – Addons For Elementor < 3.13.3 - Contributor+ Stored Cross-Site Scripting via Rubix Widget
Published
2023-08-17
Title
Modal Dialog < 3.5.15 - Reflected XSS
Published
2023-10-17
Title
Media Library Assistant < 3.12 - Author+ Stored XSS