Lucene search
Dmitrii ignatyevWPEX-ID:99B6AA8B-DEB9-48F8-8896-F3C8118A4F70HistoryFeb 13, 2024 - 12:00 a.m.
Ultimate Posts Widget < 2.3.1 - Admin+ Stored XSS
2024-02-1300:00:00
Dmitrii ignatyev
23
admin
ultimate posts widget
stored xss
widget editing
xss
frontend exploit
mouseover trigger
Description The plugin does not validate and escape some of its Widget options before outputting them back in attributes, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
As admin, create/edit an Ultimate Post widget and put the following payload in the Title, URL or "CSS Classes" fields: " onmouseover="alert(/XSS/)"
The XSS will be triggered when a user move their mouse over
- the title of the widget on page where the widget is output
- the related field when editing the widget
Other payload, for the URL field to trigger in the frontend: ' onmouseover=alert(/XSS-URL/)// and javascript:alert(/XSS/)References
Related
cvelist
cvelist
CVE-2024-0561 Ultimate Posts Widget < 2.3.1 - Admin+ Stored XSS
2024-03-11 17:56:07
cve
cve
CVE-2024-0561
2024-03-11 18:15:17
prion
prion
Cross site scripting
2024-03-11 18:15:00
wpvulndb
wpvulndb
Ultimate Posts Widget < 2.3.1 - Admin+ Stored XSS
2024-02-13 00:00:00
wordfence
wordfence
7.9 High
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
8.7%
Related for WPEX-ID:99B6AA8B-DEB9-48F8-8896-F3C8118A4F70