Lucene search

K
wpvulndbLana CodesWPVDB-ID:A90A413D-0E00-4DA8-A339-D6CDFBA70BB3
HistoryJan 16, 2023 - 12:00 a.m.

Restaurant Menu < 2.3.6 - Contributor+ Stored XSS via Shortcode

2023-01-1600:00:00
Lana Codes
wpscan.com
3

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

0.0004 Low

EPSS

Percentile

12.0%

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

PoC

The exploit requires at least a contributor role. 1. Create and connect a GloriaFood account, and add a Restaurant. 2. Find the RUID on the GloriaFood Settings page. 3. Insert the following shortcode in a post/page by changing the RUID accordingly: [restaurant-reservations ruid=‘87cdb0a5-54ad-4296-a7d9-cd37fd217f68’ class=‘" onmouseover=“alert(1)”’]

CPENameOperatorVersion
menu-ordering-reservationslt2.3.6

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

0.0004 Low

EPSS

Percentile

12.0%

Related for WPVDB-ID:A90A413D-0E00-4DA8-A339-D6CDFBA70BB3