WordPress Plugin Vulnerabilities

Restaurant Menu < 2.3.6 - Contributor+ Stored XSS via Shortcode

Description

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

Proof of Concept

The exploit requires at least a contributor role.

1. Create and connect a GloriaFood account, and add a Restaurant.

2. Find the RUID on the GloriaFood Settings page.

3. Insert the following shortcode in a post/page by changing the RUID accordingly:

[restaurant-reservations ruid='87cdb0a5-54ad-4296-a7d9-cd37fd217f68' class='" onmouseover="alert(1)"']

Affects Plugins

Plugin icon
menu-ordering-reservations
Fixed in 2.3.6

References

CVE
CVE-2022-4657

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
Lana Codes
Submitter
Lana Codes
Submitter website
https://lana.codes/
Submitter twitter
LanaCodes
Verified
Yes
WPVDB ID
a90a413d-0e00-4da8-a339-d6cdfba70bb3

Timeline

Publicly Published
2023-01-16 (about 1 years ago)
Added
2023-01-16 (about 1 years ago)
Last Updated
2023-01-16 (about 1 years ago)

Other

Published
Title
Published
2021-04-16
Title
All 404 Redirect to Homepage < 1.21 - Authenticated Reflected Cross-Site Scripting (XSS)
Published
2021-10-15
Title
MPL-Publisher - Self-publish your book & ebook < 1.30.4 - Admin+ Stored Cross-Site Scripting
Published
2015-10-21
Title
WordPress Calls to Action < 2.5.1 - Reflected Cross-Site Scripting (XSS)
Published
2021-11-29
Title
Asgaros Forums < 1.15.14 - Admin+ Stored Cross-Site Scripting
Published
2022-09-26
Title
Sabai Discuss < 1.4.14 - Reflected Cross Site Scripting