WordPress Plugin Vulnerabilities

Testimonials (Free < 2.7, Pro < 1.0.8) - Admin+ Stored Cross-Site Scripting

Description

The plugins do not sanitize and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

Proof of Concept

Create new Testimonial, add the following payload to either Position or Testimonial Text field: "></textarea><img src onerror=alert(/XSS/)>

Publish it, the payload will be triggered in the backend (in the Testimonial list, and when editing the related testimonial), and in page/posts where the shortcode is embed

Affects Plugins

Plugin icon
super-testimonial
Fixed in 2.7
Plugin icon
super-testimonial-pro
Fixed in 1.0.8

References

CVE
CVE-2022-3539

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.4 (low)

Miscellaneous

Original Researcher
Asif Nawaz Minhas
Submitter
Asif Nawaz Minhas
Submitter website
https://www.hackpertise.com/
Verified
Yes
WPVDB ID
ab3b0052-1a74-4ba3-b6d2-78cfe56029db

Timeline

Publicly Published
2022-10-20 (about 1 years ago)
Added
2022-10-20 (about 1 years ago)
Last Updated
2022-10-20 (about 1 years ago)

Other

Published
Title
Published
2023-03-16
Title
Mediciti Lite <= 1.3.0 - Reflected XSS
Published
2021-03-19
Title
WordPress Related Posts <= 3.6.4 - Authenticated Stored Cross-Site Scripting (XSS)
Published
2023-02-07
Title
Interactive Geo Maps < 1.5.11 - Editor+ Stored XSS
Published
2024-04-22
Title
Exclusive Addons for Elementor < 2.6.9.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Call to Action
Published
2024-01-22
Title
Sticky Buttons < 3.2.3 - Authenticated (Admin+) Stored Cross-Site Scripting