WordPress Plugin Vulnerabilities

Easy Notify Lite < 1.1.33 - Contributor+ Stored XSS

Description

The plugin does not sanitise and escape some of its Notification fields, which could allow users such as contributor and above to perform Stored Cross-Site Scripting attacks.

Proof of Concept

- Create/edit a Notification (https://example.com/wp-admin/post-new.php?post_type=easynotify)
- Put the following payload in the "Text Header", "Main Text" or any of the "Bullet List" fields: "><img src onerror=alert(/XSS/)>
- The XSS will be triggered when saving/submitting for review, when another user will edit the notification as well as when previewing it (via the Preview feature offered by the plugin, not the usual post preview)

Note: version 1.1.31 patch did not fully fix the issue as a payload like text" onmouseover="alert(/XSS/); would work in some of the affected fields

Affects Plugins

Plugin icon
easy-notify-lite
Fixed in 1.1.33

References

CVE
CVE-2024-3236

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher
Eunho Kim
Submitter
Eunho Kim
Submitter website
https://aiton.tistory.com
Verified
Yes
WPVDB ID
a6c2da28-dc03-4bcc-a6c3-ee55a73861db

Timeline

Publicly Published
2024-05-27 (about 1 months ago)
Added
2024-05-27 (about 1 months ago)
Last Updated
2024-05-27 (about 1 months ago)

Other

Published
Title
Published
2015-05-06
Title
ClickBank Affiliate Ads < 1.35 - Admin+ Stored Cross-Site Scripting
Published
2017-03-07
Title
Ninja Forms < 3.0.31 - XSS
Published
2024-04-15
Title
Shortcodes and extra features for Phlox theme <= 2.15.5 - Contributor+ Stored XSS via title_tag
Published
2019-06-18
Title
GA Backend Tracking <= 1.2 - XSS
Published
2022-03-16
Title
LearnPress < 4.1.6 - Reflected Cross-Site Scripting