WordPress Plugin Vulnerabilities

WP Custom Cursors <= 3.3 - Admin+ Stored XSS

Description

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Proof of Concept

1. Add a new custom cursor.
2. Under "Hover Options" select "Snap" and for the "Background Color" add the payload: "><script>alert("xss")</script>
3. Save and see the XSS pop-up.

Before version v3.3, use the following steps:

1. Add a new custom cursor
2. Under "Hover Options" select "Shape" and for the "Background Color" add the payload: " style=animation-name:rotation onanimationstart=alert(/XSS/)//
3. Save and when you go through the process to edit the code, you will see the XSS pop-up

Affects Plugins

Plugin icon
wp-custom-cursors
No known fix

References

CVE
CVE-2023-5911
YouTube Video

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Submitter
David Suho Lee
Submitter website
https://dslee2022.tistory.com/
Submitter twitter
dslee2022
Verified
Yes
WPVDB ID
dde0767d-1dff-4261-adbe-1f3fdf2d9aae

Timeline

Publicly Published
2023-10-07 (about 7 months ago)
Added
2023-12-18 (about 4 months ago)
Last Updated
2024-02-21 (about 2 months ago)

Other

Published
Title
Published
2024-04-23
Title
UDesign <= 4.7.3 - Reflected Cross-Site Scripting
Published
2023-01-23
Title
Social Like Box and Page by WpDevArt < 0.8.41 - Contributor+ Stored XSS
Published
2019-06-24
Title
Custom 404 Pro < 3.2.8 - XSS
Published
2024-03-18
Title
Tracking Code Manager < 2.1.0 -Admin+ Stored Cross-Site Scripting
Published
2023-11-24
Title
Simply Exclude <= 2.0.6.6 - Reflected Cross-Site Scripting