Post Views Count <= 3.0.2 – Contributor+ Stored XSS in Shortcode | CVE 2022-4761 | Plugin Vulnerabilities

Description

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

Proof of Concept

As a Contributor+ create a new post and add the following shortcode.

[post_view id='1" onmouseover="alert(/XSS/)" style="background:red;width:100px;height:100px;"']

Save it to be reviewed.

When an admin reviews the post and moves the mouse over the added code, the payload will be delivered.

Affects Plugins

baw-post-views-count

No known fix

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Lana Codes

Submitter

Lana Codes

Submitter website

https://lana.codes/

Submitter twitter

Verified

Yes

WPVDB ID

ad163020-8b9c-42cb-a55f-b137b224bafb

Timeline

Publicly Published

2023-01-25 (about 1 years ago)

Added

2023-01-25 (about 1 years ago)

Last Updated

2023-01-25 (about 1 years ago)

Other

Published

Title

Published

2024-04-12

Title

POEditor < 0.9.9 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

2021-06-30

Title

TaxoPress < 3.0.7.2 - Authenticated Stored Cross-Site Scripting (XSS)

Published

2023-04-19

Title

SparkPost < 2.3.6 - Admin+ Stored XSS

Published

2023-09-05

Title

Raise Mag <= 1.0.7 and Wishful Blog <= 2.0.1 - Reflected XSS

Published

2016-04-13

Title

Admin Font Editor <= 1.8 - Unauthenticated Reflected Cross-Site Scripting (XSS)