WordPress Plugin Vulnerabilities

Real Media Library < 4.18.29 - Author+ Stored XSS

Description

The plugin does not sanitise and escape the created folder names, which could allow users with the role of author and above to perform Stored Cross-Site Scripting attacks.

Proof of Concept

As a user with the author role, go to Media > Library and create a new folder with the following payload: "><img src onerror=alert(/XSS/)>

Then Add a new media (via Media > Add new), select the created folder with the payload, and upload a file, which will trigger the XSS. Any user using the malicious folder to upload files will have the XSS trigger

Affects Plugins

Plugin icon
real-media-library-lite
Fixed in 4.18.29

References

CVE
CVE-2023-0285

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
Bipul Jaiswal from SecureLayer7
Submitter
Bipul Jaiswal from SecureLayer7
Submitter website
https://securelayer7.net
Submitter twitter
hackw1thproxy
Verified
Yes
WPVDB ID
adf09e29-baf5-4426-a281-6763c107d348

Timeline

Publicly Published
2023-01-30 (about 1 years ago)
Added
2023-01-30 (about 1 years ago)
Last Updated
2023-01-30 (about 1 years ago)

Other

Published
Title
Published
2022-03-02
Title
MC4WP < 4.8.7 - Admin+ Stored Cross-Site Scripting
Published
2023-04-20
Title
WPJAM Basic < 6.2.1.1 - Contributor+ Stored XSS
Published
2023-10-12
Title
Proofreading < 1.1 - Reflected XSS
Published
2023-10-23
Title
Very Simple Google Maps < 2.9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Published
2023-05-15
Title
WooCommerce Brands < 1.6.46 - Contributor+ Stored XSS