WordPress Plugin Vulnerabilities

Top 10 < 3.2.3 - Contributor+ Stored XSS

Description

The plugin does not validate and escape some of its Block attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins.

Proof of Concept

1. Insert a Top 10 Popular Posts block, and give it the following additional CSS classes: " onmouseover="alert(1)" style="background:red;width:100px;height:100px;"

2. Hover over the block where it's inserted, and the JavaScript alert will trigger successfully.

Affects Plugins

Plugin icon
top-10
Fixed in 3.2.3

References

CVE
CVE-2022-4570

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
Lana Codes
Submitter
Lana Codes
Submitter website
https://lana.codes/
Submitter twitter
LanaCodes
Verified
Yes
WPVDB ID
a2483ecf-42a6-470a-b965-4e05069d1cef

Timeline

Publicly Published
2022-12-29 (about 1 years ago)
Added
2022-12-29 (about 1 years ago)
Last Updated
2022-12-29 (about 1 years ago)

Other

Published
Title
Published
2020-05-11
Title
ImageBoss < 3.0.6 - Admin+ Stored Cross-Site Scripting
Published
2024-02-14
Title
Premium Addons for Elementor < 4.10.19 - Contributor+ Stored Cross-Site Scripting
Published
2023-11-21
Title
EventPrime – Modern Events Calendar, Bookings and Tickets < 3.3.3 - Contributor+ Stored XSS
Published
2023-11-02
Title
Digirisk 6.0.0.0 - Reflected Cross-Site Scripting
Published
2022-12-23
Title
Link Library < 7.4.1 - Admin+ Stored XSS