WordPress Plugin Vulnerabilities

Simple Giveaways < 2.45.1 - Admin+ Stored XSS

Description

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Proof of Concept

As admin, add/edit a sharing method ("Giveaways" > "Settings" > "Sharing Method"), and put the following payload in the Method Title field: <script>alert(/XSS/)</script><img src onerror=alert(/XSS2/)>

As Unauthenticated or authenticated user, go to a giveaway page in the frontend ( date one as admin if there is none yet) and enter it by giving an email. The XSS will be triggered afterwards

Affects Plugins

Plugin icon
giveasap
Fixed in 2.45.1

References

CVE
CVE-2023-1120

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (low)

Miscellaneous

Original Researcher
ipatelsumit
Submitter
ipatelsumit
Submitter website
https://www.linkedin.com/in/ipatelsumit
Verified
Yes
WPVDB ID
c2defd30-7e4c-4a28-8a68-282429061f3f

Timeline

Publicly Published
2023-03-20 (about 1 years ago)
Added
2023-03-20 (about 1 years ago)
Last Updated
2023-03-21 (about 1 years ago)

Other

Published
Title
Published
2023-04-13
Title
ShiftController Employee Shift Scheduling < 4.9.26 - Reflected Cross-Site Scripting
Published
2023-01-06
Title
WP Extended Search < 2.1.2 - Contributor+ Stored XSS via Shortcode
Published
2024-03-26
Title
Elementor Website Builder Pro < 3.20.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Form Widget SVGZ File Upload
Published
2014-08-01
Title
MobileChief - jQuery Validation Cross-Site Scripting
Published
2015-07-27
Title
Hide My WP < 4.52 - Stored Cross-Site Scripting (XSS)