WordPress Plugin Vulnerabilities

Cost Calculator < 1.6 - Contributor+ Stored Cross-Site Scripting

Description

The plugin allows users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks via the Description fields of a Cost Calculator > Price Settings (which gets injected on the edit page as well as any page that embeds the calculator using the shortcode), as well as the Text Preview field of a Project (injected on the edit project page)

Proof of Concept

Create a new "Cost Calculator" post, set the Price Settings > Description field to "><script>alert(/XSS/)</script>
and reload (or have an admin view the page). The XSS will also trigger when the related calculator shortcode (e.g [nd_cost_calculator id="806"]) is embed in a post/page

Create a new Project, set the Text Preview field to " style="animation-name:rotation;" onanimationend="alert(/XSS/)//
and reload (or have an admin view the page).

Affects Plugins

Plugin icon
nd-projects
Fixed in 1.6

References

CVE
CVE-2021-24821

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
apple502j
Submitter
apple502j
Verified
Yes
WPVDB ID
f0915b66-0b99-4aeb-9fba-759cafaeb0cb

Timeline

Publicly Published
2022-02-01 (about 2 years ago)
Added
2022-02-01 (about 2 years ago)
Last Updated
2022-04-16 (about 2 years ago)

Other

Published
Title
Published
2022-12-19
Title
Sidebar Widgets by CodeLights <= 1.4 - Admin+ Stored Cross Site Scripting
Published
2023-12-05
Title
Email Subscription Popup < 1.2.19 - Reflected Cross-Site Scripting
Published
2017-11-29
Title
WordPress 4.3.0-4.9 - HTML Language Attribute Escaping
Published
2020-10-12
Title
LocalWeb All In One plugin < 1.6.5 - Unauthenticated Stored Cross-Site Scripting (XSS)
Published
2023-04-14
Title
Booqable Rental <= 2.4.16 - Admin+ Stored XSS