WordPress Plugin Vulnerabilities

Post SMTP < 2.1.4 - Admin+ Stored Cross-Site Scripting

Description

The plugin does not escape some of its settings before outputting them in the admins dashboard, allowing high privilege users to perform Cross-Site Scripting attacks against other users even when the unfiltered_html capability is disallowed.

Proof of Concept

Put the following payload in the Post SMTP > Settings > Advanced > "Temporary Directory" settings: /tmp" style=animation-name:rotation onanimationstart=alert(/XSS/)//

Affects Plugins

Plugin icon
post-smtp
Fixed in 2.1.4

References

CVE
CVE-2022-2351

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.4 (low)

Miscellaneous

Original Researcher
Raad Haddad of Cloudyrion GmbH
Submitter
Raad Haddad of Cloudyrion GmbH
Submitter twitter
raadfhaddad
Verified
Yes
WPVDB ID
f3fda033-58f5-446d-ade4-2336a39bfb87

Timeline

Publicly Published
2022-08-22 (about 1 years ago)
Added
2022-08-22 (about 1 years ago)
Last Updated
2023-05-11 (about 1 years ago)

Other

Published
Title
Published
2024-02-14
Title
Sydney Toolbox < 1.26 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2022-02-16
Title
Simple Ajax Chat < 20220216 - Unauthenticated Stored XSS
Published
2023-10-29
Title
Buzzsprout Podcasting < 1.8.5 - Contributor+ Stored Cross-Site Scripting
Published
2021-10-25
Title
Ninja Tables < 4.1.8 - Admin+ Stored Cross-Site Cross-Site Scripting
Published
2024-03-28
Title
Post Grid < 2.2.76 - Reflected Cross-Site Scripting