WPQA < 5.2 – Subscriber+ Stored Cross-Site Scripting via Profile fields | CVE 2022-1051 | Plugin Vulnerabilities

Description

The plugin, used as a companion plugin for the Discy and Himer themes, does not sanitise and escape the city, phone or profile credentials fields when outputting it in the profile page, allowing any authenticated user to perform Cross-Site Scripting attacks.

Proof of Concept

Edit your profile and add the following payload in one of the unescaped fields. <img src onerror=alert(/XSS/)>
Upon visiting your profile, XSS will be triggered

Affects Plugins

Fixed in 5.2

References

CVE

YouTube Video

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Veshraj Ghimire

Submitter

Veshraj Ghimire

Submitter website

https://veshrajghimire.com.np

Submitter twitter

Verified

Yes

WPVDB ID

cb2fa587-da2f-460e-a402-225df7744765

Timeline

Publicly Published

2022-04-21 (about 2 years ago)

Added

2022-04-21 (about 2 years ago)

Last Updated

2022-05-07 (about 2 years ago)

Other

Published

Title

Published

2021-02-08

Title

Pricing Table by Supsystic < 1.9.0 - Authenticated Stored Cross-Site Scripting

Published

2024-05-07

Title

Beaver Builder – WordPress Page Builder < 2.8.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2023-01-10

Title

Royal Elementor Addons < 1.3.60 - Reflected XSS

Published

2023-05-16

Title

File Away <= 3.9.9.0.1 - Contributor+ Stored XSS via Shortcode

Published

2022-12-22

Title

Real Testimonials < 2.6.0 - Contributor+ Stored XSS