WordPress Plugin Vulnerabilities

Internal Links Manager < 2.1.1 - Multiple Authenticated Stored Cross-Site Scripting (XSS)

Description

Due to lack of user input filtering and validation, the "Add New Link" and "All Links" features are vulnerable to cross-site scripting.

The following fields are vulnerable: Internal Title (title), Link Title (titleattr).

Issues were reported to vendor and WP plugins team by reporter.

Edit (WPScanTeam):
July 14th, 2020 - v2.0.2 released, but Link Title field still vulnerable with another payload. WP plugins team notified.
August 18th, 2020 - No updates about bypass, disclosing.
December 27th, 2020 - v2.1.0 released, re-introducing the issue on the Internal Title (title parameter) when editing a link
January 7, 2021 - v2.1.1 released, fixing the issues

Proof of Concept

Affects Plugins

Plugin icon
seo-automated-link-building
Fixed in 2.1.1

References

URL
https://plugins.trac.wordpress.org/changeset/2340546

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (low)

Miscellaneous

Original Researcher
Chevon Phillip
Submitter
Chevon Phillip
Submitter website
https://chevonphillip.com
Submitter twitter
chevonphillip
Verified
Yes
WPVDB ID
c7553571-5942-47ff-b863-4e5c69cf126d

Timeline

Publicly Published
2020-08-18 (about 5 years ago)
Added
2020-08-18 (about 5 years ago)
Last Updated
2021-01-19 (about 5 years ago)

Other

Published
Title
Published
2023-12-23
Title
FOX – Currency Switcher Professional for WooCommerce < 1.4.1.7 - Subscriber+ Stored XSS
Published
2023-01-05
Title
Widgets for Google Reviews < 9.8 - Contributor+ Stored XSS
Published
2023-10-16
Title
Abandoned Cart Lite for WooCommerce < 5.16.0 - Admin+ Stored XSS
Published
2023-10-02
Title
Popup contact form <= 7.1 - Admin+ Stored XSS
Published
2024-11-20
Title
Run Contests, Raffles, and Giveaways with ContestsWP < 2.0.4 - Reflected Cross-Site Scripting