Insert Pages < 3.7.5 – Contributor+ Stored XSS | CVE 2022-4483

Description

The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins.

Proof of Concept

Exploit: [insert page="2" class="' onmouseover='alert(1)'"]

Note: page id should be different from the current page id.

Affects Plugins

insert-pages

Fixed in 3.7.5

References

CVE

CVE-2022-4483

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

6.8 (medium)

Miscellaneous

Original Researcher

Lana Codes

Submitter

Lana Codes

Submitter website

https://lana.codes/

Submitter twitter

LanaCodes

Verified

Yes

WPVDB ID

a1786400-dc62-489c-b986-ba17c9833179

Timeline

Publicly Published

2023-01-04 (about 1 years ago)

Added

2022-12-21 (about 1 years ago)

Last Updated

2022-12-21 (about 1 years ago)

Other

Published

Title

Published

2021-06-16

Title

WP YouTube Lyte < 1.7.16 - Authenticated Stored XSS

Published

2022-12-27

Title

Search & Filter < 1.2.16 - Contributor+ Stored XSS

Published

2024-03-04

Title

Blue Triad EZAnalytics <= 1.0 - Reflected Cross-Site Scripting via 'bt_webid'

Published

2024-02-11

Title

My Calendar < 3.4.24 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Published

2023-04-18

Title

Kaya QR Code Generator < 1.5.3 - Contributor+ Stored XSS