RSSImport <= 4.6.1 – Contributor+ Stored XSS via Shortcode | CVE 2022-4658 | Plugin Vulnerabilities

Description

The plugin does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack.

Proof of Concept

1. Insert the following shortcode in a post/page: [RSSImport target='" onmouseover="alert(1)" style="background:red;"']

2. Hover over the list of posts displayed by the shortcode.

Affects Plugins

No known fix

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Lana Codes

Submitter

Lana Codes

Submitter website

https://lana.codes/

Submitter twitter

Verified

Yes

WPVDB ID

c7a17eb9-2811-45ba-bab3-f53b2fa7d051

Timeline

Publicly Published

2022-12-23 (about 1 years ago)

Added

2022-12-23 (about 1 years ago)

Last Updated

2022-12-23 (about 1 years ago)

Other

Published

Title

Published

2022-05-17

Title

Google Places Review < 2.0.0 - Admin+ Stored Cross Site Scripting

Published

2022-04-19

Title

Custom TinyMCE Shortcode Button <= 1.1 - Reflected Cross-Site Scripting

Published

2023-11-13

Title

Star CloudPRNT for WooCommerce < 2.0.4 - Reflected XSS

Published

2024-02-12

Title

Bold Page Builder < 4.8.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Icon Link

Published

2024-02-23

Title

Brizy – Page Builder < 2.4.41 - Authenticated (Contributor+) Stored Cross-Site Scripting