IMPress for IDX Broker < 2.6.2 – Authenticated Stored Cross-Site Scripting (XSS) via unprotected 'idx_update_recaptcha_key' AJAX | CVE 2020-11512 | Plugin Vulnerabilities

Description

The IMPress for IDX Broker plugin contains a captcha feature to prevent spam submissions. Since it uses Google’s ReCAPTCHA service, it requires an API key. Unfortunately, the AJAX action the plugin registered to update this API key did not use capability checks or nonce checks.

This made it possible for a logged-in attacker with minimal permissions, such as a subscriber, to send a request to wp-admin/admin-ajax.php with the action parameter set to idx_update_recaptcha_key and the idx_recaptcha_site_key parameter set to a malicious JavaScript, which could then be executed in an administrator’s browser the next time they visited the plugin’s settings panel.

Affects Plugins

idx-broker-platinum

Fixed in 2.6.2

References

CVE

URL

https://www.wordfence.com/blog/2020/03/vulnerabilities-patched-in-impress-for-idx-broker/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Ramuel Gall (Wordfence)

Submitter

Ramuel Gall

Verified

No

WPVDB ID

c4fcbb6b-d6ab-4f66-9b75-f8c11c6e5e53

Timeline

Publicly Published

2020-03-26 (about 6 years ago)

Added

2020-03-26 (about 6 years ago)

Last Updated

2020-09-22 (about 5 years ago)

Other

Published

Title

Published

2021-02-08

Title

Digital Publications by Supsystic < 1.7.0 - Authenticated Stored Cross-Site Scripting (XSS)

Published

2024-04-16

Title

CBX Bookmark & Favorite < 1.7.22 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-07-29

Title

Hustle < 7.8.5 - Admin+ Stored XSS

Published

2023-09-25

Title

Simple Posts Ticker < 1.1.6 - Admin+ Stored XSS

Published

2015-08-20

Title

Subscribe To Comments Reloaded < 150820 - Authenticated Reflected Cross-Site Scripting (XSS)