WordPress Plugin Vulnerabilities

Better Comments < 1.5.6 - Subscriber+ Stored XSS

Description

The plugin does not sanitise and escape some of its settings, which could allow low privilege users such as Subscribers to perform Stored Cross-Site Scripting attacks.

Proof of Concept

1. From the menu on the left, go into "Users" and edit Subscriber user.
2. Upload a new avatar image and click "Update User".
3. Change the nickname to the following payload and click "Update User" as before:
"onload="prompt('XSS')
4. Payload is triggered immediately on Profile menu.
5. Open any post as the Subscriber user and leave a comment to trigger the payload.
6. Everywhere where the avatar is used, the payload is triggered. For example, consider the avatar is always used in the top right corner besides the username on any WordPress page or post.

Affects Plugins

Plugin icon
better-comments
Fixed in 1.5.6

References

CVE
CVE-2024-2404

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher
Nicolo
Submitter
Nicolo
Verified
Yes
WPVDB ID
a2cb7167-9edc-4640-87eb-4c511639e5b7

Timeline

Publicly Published
2024-04-03 (about 1 months ago)
Added
2024-04-03 (about 1 months ago)
Last Updated
2024-04-03 (about 1 months ago)

Other

Published
Title
Published
2011-09-27
Title
Black Letterhead < 1.6 - XSS
Published
2016-08-01
Title
Contact Bank < 2.1.23 - Cross-Site Scripting (XSS)
Published
2022-04-05
Title
Event List < 0.8.8 - Admin+ Stored Cross-Site Scripting
Published
2016-07-29
Title
Clicky by Yoast <= 1.5 - Minor Security Improvements
Published
2011-09-27
Title
Trending < 0.2 - XSS