Lucene search
Lana CodesWPEX-ID:33DDDAEC-A32A-4FCE-89D6-164565BE13E1HistoryNov 08, 2022 - 12:00 a.m.
WP OAuth Server < 4.2.2 - Admin+ Stored XSS
2022-11-0800:00:00
Lana Codes
173
wordpress
oauth
stored xss
security
exploit
0.001 Low
EPSS
Percentile
24.9%
The plugin does not sanitize and escape Client IDs, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
Edit a client ("OAuth Server > Clients) and put the following payload in the "Client ID" field: "><script>alert(/XSS/)</script>
The XSS will be triggered in the Clients list, as well as when editing the client
v4.2.1 added sanitisation, but no escaping, so a payload like " style=animation-name:rotation onanimationstart=alert(/XSS/)// would work as well (but only be triggered when editing the client)Related
cve
cve
CVE-2022-3892
2022-12-05 17:15:10
cvelist
cvelist
CVE-2022-3892 WP OAuth Server < 4.2.2 - Admin+ Stored XSS
2022-12-05 16:50:32
wpvulndb
wpvulndb
WP OAuth Server < 4.2.2 - Admin+ Stored XSS
2022-11-08 00:00:00
prion
prion
Cross site scripting
2022-12-05 17:15:00
nvd
nvd
CVE-2022-3892
2022-12-05 17:15:10