WP Staging (Free < 3.4.0, Pro < 5.4.0) – Admin+ Stored XSS | CVE 2024-2309 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Proof of Concept

1. Go to "WP Staging > Backup & Migration"
2. Edit an existing backup's "Backup Name" field, setting it to: `123123" onmouseover='alert(1)'`
3. Save and see the XSS when reopening the edit screen

Affects Plugins

Fixed in 3.4.0

Fixed in 5.4.0

References

CVE

URL

https://research.cleantalk.org/cve-2024-2309/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

Miscellaneous

Original Researcher

Dmitrii Ignatyev

Submitter

Dmitrii Ignatyev

Submitter website

https://research.cleantalk.org

Verified

Yes

WPVDB ID

a4152818-1e07-46a7-aec4-70f1a1b579a6

Timeline

Publicly Published

2024-03-27 (about 1 months ago)

Added

2024-03-27 (about 1 months ago)

Last Updated

2024-04-15 (about 1 months ago)

Other

Published

Title

Published

2021-05-04

Title

Goto < 2.1 - Reflected Cross-Site Scripting (XSS)

Published

2021-08-23

Title

Timetable and Event Schedule by MotoPress < 2.3.19 - Author+ Stored Cross-Site Scripting

Published

2021-08-11

Title

FV Flowplayer Video Player < 7.5.3.727 - Reflected Cross-Site Scripting

Published

2024-03-05

Title

Simple Membership < 4.4.3 - Unauthenticated Stored Self-Based Cross-Site Scripting

Published

2022-06-20

Title

WP Duplicate Page < 1.3 - Admin+ Stored Cross Site Scripting