Better Comments < 1.5.6 – Subscriber+ Stored XSS | CVE 2024-2404 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape some of its settings, which could allow low privilege users such as Subscribers to perform Stored Cross-Site Scripting attacks.

Proof of Concept

1. From the menu on the left, go into "Users" and edit Subscriber user.
2. Upload a new avatar image and click "Update User".
3. Change the nickname to the following payload and click "Update User" as before:
"onload="prompt('XSS')
4. Payload is triggered immediately on Profile menu.
5. Open any post as the Subscriber user and leave a comment to trigger the payload.
6. Everywhere where the avatar is used, the payload is triggered. For example, consider the avatar is always used in the top right corner besides the username on any WordPress page or post.

Affects Plugins

better-comments

Fixed in 1.5.6

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Nicolo

Submitter

Nicolo

Verified

Yes

WPVDB ID

a2cb7167-9edc-4640-87eb-4c511639e5b7

Timeline

Publicly Published

2024-04-03 (about 1 year ago)

Added

2024-04-03 (about 1 year ago)

Last Updated

2024-04-03 (about 1 year ago)

Other

Published

Title

Published

2025-01-14

Title

Twitter Bootstrap Collapse aka Accordian Shortcode <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-01-10

Title

Trackserver < 5.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-05-07

Title

140+ Widgets | Best Addons For Elementor – FREE < 1.4.3.1 - Authenticated (Admin+) Cross Site Scripting

Published

2024-04-10

Title

F4 Improvements < 1.8.1 - Authenticated (Admin+) Stored Cross-Site Scripting

Published

2024-03-25

Title

BuddyForms < 2.8.6 - Reflected Cross-Site Scripting via page