WordPress Plugin Vulnerabilities

Robo Gallery < 3.2.16 - Admin+ Stored XSS

Description

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Proof of Concept

1. Go to: https://example.com/wp-admin/edit.php?post_type=robo_gallery_table&page=robo-gallery-settings&tab=youtube 
2. In the "Youtube Api Key" enter the PoC: `"autofocus onfocus=alert(1)//` and save.
3. Navigate away and back into the YouTube settings and see the XSS.

Affects Plugins

Plugin icon
robo-gallery
Fixed in 3.2.16

References

CVE
CVE-2023-3499

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (low)

Miscellaneous

Original Researcher
Felipe Restrepo Rodriguez
Submitter
Felipe Restrepo Rodriguez
Submitter website
https://pfelilpe.com
Submitter twitter
pfelilpe
Verified
Yes
WPVDB ID
ea29413b-494e-410e-ae42-42f96284899c

Timeline

Publicly Published
2023-08-14 (about 3 months ago)
Added
2023-08-14 (about 3 months ago)
Last Updated
2023-08-14 (about 3 months ago)

Other

Published
Title
Published
2021-04-08
Title
Stop Spammers < 2021.9 - Reflected Cross-Site Scripting (XSS)
Published
2020-02-27
Title
Async Javascript < 2.20.02.27 - Subscriber+ Stored XSS via Plugin Settings Change
Published
2021-04-13
Title
PowerPack Addons for Elementor < 2.3.2 - Contributor+ Stored XSS
Published
2023-03-22
Title
WP VR < 8.2.9 - Reflected XSS
Published
2017-10-16
Title
Easy Appointments <= 1.11.7 - Cross-Site Scripting (XSS)