Easy Notify Lite < 1.1.33 – Contributor+ Stored XSS | CVE 2024-3236

Description

The plugin does not sanitise and escape some of its Notification fields, which could allow users such as contributor and above to perform Stored Cross-Site Scripting attacks.

Proof of Concept

- Create/edit a Notification (https://example.com/wp-admin/post-new.php?post_type=easynotify)
- Put the following payload in the "Text Header", "Main Text" or any of the "Bullet List" fields: "><img src onerror=alert(/XSS/)>
- The XSS will be triggered when saving/submitting for review, when another user will edit the notification as well as when previewing it (via the Preview feature offered by the plugin, not the usual post preview)

Note: version 1.1.31 patch did not fully fix the issue as a payload like text" onmouseover="alert(/XSS/); would work in some of the affected fields