Aajoda Testimonials < 2.2.2 – Admin+ Stored XSS | CVE 2023-2178 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Proof of Concept

1. In Aajoda » Optional Aajoda Style, insert the following payload: "></textarea><script>alert(/XSS/)</script>

2. Save the changes to get the XSS exploit.

Affects Plugins

aajoda-testimonials

Fixed in 2.2.2

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Juampa Rodríguez

Submitter

Juampa Rodríguez

Submitter website

https://infayer.com/

Submitter twitter

Verified

Yes

WPVDB ID

e84b71f9-4208-4efb-90e8-1c778e7d2ebb

Timeline

Publicly Published

2023-06-05 (about 11 months ago)

Added

2023-06-05 (about 11 months ago)

Last Updated

2023-06-05 (about 11 months ago)

Other

Published

Title

Published

2016-10-03

Title

WordPress Appointment Schedule Booking System - Authenticated Stored XSS

Published

2024-01-23

Title

Better Follow Button for Jetpack <= 8.0 - Admin+ Stored XSS

Published

2021-11-10

Title

WP Project Manager < 2.4.14 - Authenticated Stored Cross-Site Scripting

Published

2022-08-23

Title

Float to Top Button <= 2.3.6 - Admin+ Stored Cross-Site Scripting

Published

2020-08-06

Title

Konzept < 2.5 - Unauthenticated Reflected XSS