WordPress Plugin Vulnerabilities
WP Prayer < 1.6.2 - Authenticated Stored Cross-Site Scripting (XSS)
Description
The plugin provides the functionality to store requested prayers/praises and list them on a WordPress website. These stored prayer/praise requests can be listed by using the WP Prayer engine. An authenticated WordPress user with any role can fill in the form to request a prayer. The form to request prayers or praises have several fields. The 'prayer request' and 'praise request' fields do not use proper input validation and can be used to store XSS payloads.
Proof of Concept
1. Create a user with role 'subscriber'
2. Install WP Prayer 1.5.5 and create a page with a [wp-prayer-engine form] and a page with [wp-prayer-engine]
2. Log into the website with the subcriber user
3. Go to the page [wp-prayer-engine form] and fill in the fields
4. In the 'prayer request' field put the following: <script>alert("XSS")</script>
5. Submit the form
6. Go to the page with the [wp-prayer-engine] or the "Manage Prayers" admin dashboard (wp-admin/admin.php?page=wpe_manage_prayer)
7. XSS payload will be triggered
Affects Plugins
Fixed in 1.6.2 References
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Bastijn Ouwendijk
Submitter
Bastijn Ouwendijk
Submitter website
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-05-17 (about 2 years ago)
Added
2021-05-17 (about 2 years ago)
Last Updated
2021-06-17 (about 2 years ago)
WPScan 