tagDiv Composer < 4.2 – Admin+ Stored XSS | CVE 2023-3170 | Plugin Vulnerabilities

Description

The plugin, used as a companion by the Newspaper and Newsmag themes from tagDiv, does not validate and escape some settings, which could allow users with Admin privileges to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Proof of Concept

1. Visit Newsmag > Plugins and install and activate "tagDiv Composer"
2. Visit Newsmag > Theme panel > Custom Code
3. Enter the following in "Custom CSS" and click "Save Settings":

</style><img src onerror=alert('XSS')><style>

4. Visit the site frontend to see the XSS.

Affects Plugins

Fixed in 4.2

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Truoc Phan

Submitter

Truoc Phan

Submitter website

https://www.facebook.com/292706121240740

Submitter twitter

Verified

Yes

WPVDB ID

e95ff3c6-283b-4e5e-bea0-1f1375da08da

Timeline

Publicly Published

2023-08-17 (about 8 months ago)

Added

2023-08-17 (about 8 months ago)

Last Updated

2023-08-17 (about 8 months ago)

Other

Published

Title

Published

2023-02-02

Title

Custom Add User <= 2.0.2 - Reflected Cross-Site Scripting

Published

2020-01-29

Title

Elementor Page Builder < 2.7.7 - Authenticated Stored XSS

Published

2011-09-27

Title

Evolve < 1.2.6 - XSS

Published

2021-09-22

Title

Easy Media Download < 1.1.7 - Contributor+ Stored Cross-Site Scripting

Published

2023-10-02

Title

UniConsent Cookie Consent CMP for GDPR / CCPA < 1.4.4 - Admin+ Stored XSS