youForms for WordPress <= 1.0.5 – Authenticated Stored Cross-Site Scripting | CVE 2021-24596 | Plugin Vulnerabilities

Description

The plugin does not sanitise escape the Button Text field of its Templates, allowing high privilege users (editors and admins) to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

Proof of Concept

Create/edit a template and put the following payloads in the Button text/Button subtext/Header text/Header subtext fields of the Change button template text/Change template modal text sections:

<script>alert(/XSS/)</script>
" style=animation-name:rotation onanimationstart=alert(/XSS/)//

The XSS will be triggered when viewing the template again in the admin dashboard

https://github.com/xiahao90/CVEproject/blob/main/wordpress_youFormsfreeforCopeCart_XSS.md

Affects Plugins

youforms-free-for-copecart

No known fix

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

xiahao@webray.com.cn inc

Submitter

xiahao@webray.com.cn inc

Submitter twitter

lAmn9V6MU9Dfb8p

Verified

Yes

WPVDB ID

b5def0e7-2b4a-43e0-8175-28b28aa2f8ae

Timeline

Publicly Published

2021-07-30 (about 2 years ago)

Added

2021-08-19 (about 2 years ago)

Last Updated

2022-04-09 (about 2 years ago)

Other

Published

Title

Published

2021-11-01

Title

Google Maps Easy < 1.10.1 - Admin+ Stored Cross-Site Scripting

Published

2024-03-19

Title

Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates < 4.5.4 - Contributor+ Stored XSS

Published

2022-09-01

Title

Easy Org Chart <= 3.1 - Contributor+ Stored Cross-Site Scripting

Published

2020-01-06

Title

Awesome Support < 6.0.0 - Stored XSS via Ticket Title

Published

2023-10-12

Title

WP ULike < 4.6.9 - Contributor+ Stored Cross Site Scripting via Shortcode