Icegram Engage < 3.1.32 – Author+ Stored XSS | CVE 2024-12302 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape some of its Campaign settings, which could allow authors and above to perform Stored Cross-Site Scripting attacks

Proof of Concept

1. As author, create a campaign (such as a popup one)
2. Switch on "Use Opt-in / Subscription / Lead capture form" box. 
3. Put the following payload in the Textarea with "Paste HTML / Shortcode ...": &lt;img src=x onerror=alert(1)&gt;
4. Save it and reload the page
5. To trigger the XSS, click in the Textarea where the payload was put, then anywhere outside of it. The XSS will also trigger when (pre)viewing the the Campaign

Affects Plugins

Fixed in 3.1.32

References

CVE

URL

https://research.cleantalk.org/cve-2024-12302/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Dmitrii Ignatyev

Submitter

Dmitrii Ignatyev

Submitter website

https://www.linkedin.com/in/dmitriy-ignatyev-8a9189267/

Verified

Yes

WPVDB ID

ed860dac-8c4a-482f-8826-31f1a894b6ce

Timeline

Publicly Published

2024-12-16 (about 1 year ago)

Added

2024-12-16 (about 1 year ago)

Last Updated

2024-12-16 (about 1 year ago)

Other

Published

Title

Published

2024-10-09

Title

Advanced Blocks Pro <= 1.0.0 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

Published

2020-01-15

Title

YOP Poll < 6.1.2 - Reflected Cross-Site Scripting

Published

2023-06-28

Title

Side Cart Woocommerce (Ajax) < 2.3 - Admin+ Stored XSS

Published

2021-09-27

Title

Countdown and CountUp, WooCommerce Sales Timers < 1.5.8 - CSRF to Stored Cross-Site Scripting

Published

2025-11-21

Title

Cookie Notice & Compliance for GDPR / CCPA < 2.5.9 - Contributor+ Stored XSS