WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Salat Times < 3.2.2 - Admin+ Stored Cross-Site Scripting

Description

The plugin does not sanitize and escapes its settings, allowing high-privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

Proof of Concept

Put the following payload in any text field of Settings > Salat Times: "><img src onerror=alert(/XSS/)>

Save, and the XSS will be triggered when accessing the settings again.

The payload will also be triggered in pages where the [daily_salat_times] is embedded.

Affects Plugins

salat-times
Fixed in version 3.2.2

References

CVE
CVE-2022-2983

Classification

Type

XSS

OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher

Asif Nawaz Minhas

Submitter

Asif Nawaz Minhas

Submitter website
https://www.hackpertise.com/
Verified

Yes

WPVDB ID
e2af8c7f-9bd4-4902-8df8-72ffb414fdbf

Timeline

Publicly Published

2022-11-02 (about 4 months ago)

Added

2022-11-02 (about 4 months ago)

Last Updated

2022-11-02 (about 4 months ago)

Our Other Services

WPScan WordPress Security Plugin