Joshua Martinelle of Tenable Research discovered multiple cross-site scripting (XSS) vulnerabilities across a number of WordPress plugins. This advisory will track each vulnerability as information and fixes become available.
Quick Event Manager : CVE-2023-23491 - Unauthenticated Reflected Cross-Site Scripting
Reference: https://wordpress.org/plugins/quick-event-manager/
Affected Versions: < 9.7.5
CVSSv3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVSSv3 Score: 6.1
There is a reflected XSS vulnerability in the 'category' parameter of the 'qem_ajax_calendar' action, as the parameter is reflected in the response without prior filtering. The vulnerable code is present in the function 'qem_show_calendar()' of the file 'legacy/quick-event-manager.php'.
Proof of Concept:
Any user visiting the following link, where TARGET_HOST is the instance of wordpress with the plugin installed, will trigger the reflected XSS payload:
http://TARGET_HOST/wp-admin/admin-ajax.php?action=qem_ajax_calendar&category=</script><script>alert(1)</script>
Login with Phone Number : CVE-2023-23492 - Unauthenticated Reflected Cross-Site Scripting
Reference: https://wordpress.org/plugins/quick-event-manager/
Affected Versions: < 1.4.2
CVSSv3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVSSv3 Score: 6.1
The 'ID' parameter of the 'lwp_forgot_password' action is used in the response without any filtering leading to an reflected XSS. Although the response is encoded in JSON, the Content-Type of the response is text/html which allows the exploitation of the vulnerability. This vulnerability is present in the './login-with-phonenumber.php' file in the 'lwp_forgot_password()' function.
Proof of Concept:
Any user visiting the following link, where TARGET_HOST is the instance of wordpress with the plugin installed, will trigger the reflected XSS payload:
http://TARGET_HOST/wp-admin/admin-ajax.php?action=lwp_forgot_password&ID=<svg%20onload=alert(1)>
WP Helper Lite : CVE-2023-0448 - Unauthenticated Reflected Cross-Site Scripting
Reference: https://wordpress.org/plugins/wp-helper-lite/
Affected Versions: < 4.3
CVSSv3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVSSv3 Score: 6.1
The plugin displays all of the user's GET parameters in the response to the surveySubmit action without any filtering. The vulnerable code is present in the function 'surveySubmit_func()' of the file 'includes/class-mbwp-helper.php'
Proof of Concept:
Any user visiting the following link, where TARGET_HOST is the instance of wordpress with the plugin installed, will trigger the reflected XSS payload:
http://TARGET_HOST/wp-admin/admin-ajax.php?action=surveySubmit&aaa=xxx"><svg%20onload=alert(1)>
Meta Data and Taxonomies Filter : CVE-2023-28664 - Authenticated Reflected Cross-Site Scripting
Reference: https://wordpress.org/plugins/wp-meta-data-filter-and-taxonomy-filter/
Affected Versions: < 1.3.1
CVSSv3 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CVSSv3 Score: 5.4
The plugin appears to have an incorrect usage of the core function 'esc_html__' which can lead to a reflected XSS via the 'tax_name' parameter.
Proof of Concept:
An authenticated user visiting the following link, where TARGET_HOST is the instance of WordPress with the plugin installed, will trigger the reflected XSS payload:
http://TARGET_HOST/wp-admin/admin-ajax.php?action=mdf_get_tax_options_in_widget&tax_name=<svg/onload=alert(1)>
Woo Bulk Price Update : CVE-2023-28665 - Authenticated Reflected Cross-Site Scripting
Reference: https://wordpress.org/plugins/woo-bulk-price-update/
Affected Versions: < 2.2.2
CVSSv3 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CVSSv3 Score: 5.4
The 'page' parameter to the techno_get_products action is used in the response without any filtering leading to a reflected XSS.
Proof of Concept:
An authenticated user visiting the following link, where TARGET_HOST is the instance of WordPress with the plugin installed, will trigger the reflected XSS payload:
http://TARGET_HOST/wp-admin/admin-ajax.php?action=techno_get_products&page=<svg%20onload=alert(1)>
InPost Gallery : CVE-2023-28666 - Authenticated Reflected Cross-Site Scripting
Reference: https://wordpress.org/plugins/inpost-gallery/
Affected Versions: <= 2.1.4.1
CVSSv3 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CVSSv3 Score: 5.4
The 'imgurl' parameter to the add_inpost_gallery_slide_item action is used in the response without any filtering leading to an reflected XSS which could be triggered against authenticated users.
Proof of Concept:
An authenticated user visiting the following link, where TARGET_HOST is the instance of WordPress with the plugin installed, will trigger the reflected XSS payload:
http://TARGET_HOST/wp-admin/admin-ajax.php?action=add_inpost_gallery_slide_item&imgurl="><svg%20onload=alert(1)>