Stylish Price List < 7.1.12 – Contributor+ Stored XSS | CVE 2024-10472

Description

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as contributor to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Proof of Concept

1. Proceed to adding a new list
2. Start from scratch
3. Add the name to the following parameters: Category Name, Category Description, Category Cover Image.
4. Add the name to the Item Name, Price, Description parameter.
5. Click on the More Settings tab.
6. Enter the payload `"&gt;&lt;script&gt;&lt;/script&gt;&lt;img src=x onerror=alert(777)&gt;` in the Tooltip Description parameter.
7. XSS will work when hovering over the named parameters Item Name, Price, Description in the form of a description, however, the payload is not sanitized and executes malicious code