Team Members < 5.3.2 – Author+ Stored XSS | CVE 2024-1331 | Plugin Vulnerabilities

Description

The plugin does not validate and escape some of its Team options attributes before outputting them back in a page/post where the related shortcode is embed, which could allow users with the author role and above to perform Stored Cross-Site Scripting attacks.

Proof of Concept

1. Create/edit a team and add a member to it
2. Fill all the forms, upload a photo and input `" onmouseover='alert(1)'` in the "First name ", "Lastname" or "Link URL" field.
3. Put the resulting shortcode in a post, render the post and hover the user card / social link icon to trigger the XSS

Affects Plugins

Fixed in 5.3.2

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

Miscellaneous

Original Researcher

Dmitrii Ignatyev

Submitter

Dmitrii Ignatyev

Submitter website

https://research.cleantalk.org

Verified

Yes

WPVDB ID

b2bac900-3d8f-406c-b03d-c8db156acc59

Timeline

Publicly Published

2024-02-26 (about 2 months ago)

Added

2024-02-26 (about 2 months ago)

Last Updated

2024-03-05 (about 1 months ago)

Other

Published

Title

Published

2023-08-28

Title

Popup Builder < 4.2.0 - Admin+ Stored Cross-Site Scripting

Published

2019-08-10

Title

PPOM for WooCommerce <= 18.3 - Authenticated Stored XSS

Published

2022-12-14

Title

WP Table Reloaded <= 1.9.4 - Contributor+ Stored XSS

Published

2023-05-16

Title

Chaty < 3.1 - Admin+ Stored Cross-Site Scripting

Published

2023-11-06

Title

WP MapIt < 3.0.0 - Contributor+ Stored XSS