WP Prayer < 1.6.2 - Authenticated Stored Cross-Site Scripting (XSS)
Description
The plugin provides the functionality to store requested prayers/praises and list them on a WordPress website. These stored prayer/praise requests can be listed by using the WP Prayer engine. An authenticated WordPress user with any role can fill in the form to request a prayer. The form to request prayers or praises have several fields. The 'prayer request' and 'praise request' fields do not use proper input validation and can be used to store XSS payloads.
Proof of Concept
1. Create a user with role 'subscriber'
2. Install WP Prayer 1.5.5 and create a page with a [wp-prayer-engine form] and a page with [wp-prayer-engine]
2. Log into the website with the subcriber user
3. Go to the page [wp-prayer-engine form] and fill in the fields
4. In the 'prayer request' field put the following: <script>alert("XSS")</script>
5. Submit the form
6. Go to the page with the [wp-prayer-engine] or the "Manage Prayers" admin dashboard (wp-admin/admin.php?page=wpe_manage_prayer)
7. XSS payload will be triggered Affects Plugins
Fixed in version 1.6.2✓
Classification
Miscellaneous
Original Researcher
Bastijn Ouwendijk
Submitter
Bastijn Ouwendijk
Submitter website
Verified
Yes
Timeline
Publicly Published
2021-05-17 (about 4 months ago)
Added
2021-05-17 (about 4 months ago)
Last Updated
2021-06-17 (about 3 months ago)