WordPress Plugin Vulnerabilities

Themify Portfolio Post < 1.1.6 - Authenticated Stored Cross-Site Scripting

Description

Stored Cross-Site Scripting vulnerabilities in Themify Portfolio Post <= 1.1.5 allow low-privileged users (Contributor+) to inject arbitrary Javascript code or HTML in posts where the Themify Custom Panel is embedded.

Proof of Concept

1. As a contributor, go into "Portfolios" tab from the sidebar and create a new Portfolios

2. In the Themify Custom Panel section, Input an XSS vector to :
- Date
- Client
- Services
- Link to Launch

ex: <img src=x onerror=alert(origin)>

3. Publish/Send for review and visit created post/preview as editor/admin to trigger XSS.

Affects Plugins

Plugin icon
themify-portfolio-post
Fixed in 1.1.6

References

CVE
CVE-2021-24129
URL
https://plugins.trac.wordpress.org/changeset/2431145/themify-portfolio-post/trunk/includes/themify-metabox/includes/themify-metabox-core.php?old=2393969

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
8.0 (high)

Miscellaneous

Original Researcher
Nguyen Anh Tien - SunCSR (Sun* Cyber Security Research)
Submitter
Nguyen Anh Tien
Submitter website
https://research.sun-asterisk.com/
Submitter twitter
vigov5
Verified
Yes
WPVDB ID
c8537e5f-1948-418b-9d29-3cf50cd8f9a6

Timeline

Publicly Published
2020-12-04 (about 3 years ago)
Added
2020-12-04 (about 3 years ago)
Last Updated
2021-01-22 (about 3 years ago)

Other

Published
Title
Published
2020-12-24
Title
WP Postratings < 1.86.1 - Admin+ Stored Cross-Site Scripting
Published
2014-08-01
Title
Multisite plugin Manager 3.1.1 - Two Cross-Site Scripting Vulnerabilities
Published
2022-03-30
Title
Donorbox < 7.1.7 - Admin+ Stored Cross-Site Scripting
Published
2017-03-10
Title
Profile Builder < 2.5.8 - Authenticated Stored Cross-Site Scripting (XSS)
Published
2023-08-10
Title
Contact Form Generator < 2.6.0 - Reflected XSS