Stored Cross Site Scripting (XSS) in parameter rp4wp[heading_text] in barrykooij/related-posts-for-wp

Valid

Reported on

Oct 5th 2022


Description

The Related Posts for WordPress plugin is vulnerable to stored XSS, specifically in the rp4wp[heading_text] parameter because the user input is not properly sanitized, allowing the insertion of JavaScript code that can exploit the vulnerability.

Proof of Concept

1 - Install and activate version 2.1.2 of the plugin.

2 - Go to the plugin settings panel (http://[TARGET]/wp-admin/options-general.php?page=rp4wp).

3 - Insert the following payload in the "Heading text" field:

" autofocus onfocus=alert(/XSS/)>

4 - Save the changes and immediately the popup window demonstrating the vulnerability (PoC) will be executed.

Evidence

PoC

Impact

This vulnerability would potentially allow attackers to hijack the user's current session, steal relevant information, deface the website or direct users to malicious websites, and there is even the possibility of escalating the level of exploitation or more advanced attacks (for example, create privileged users on the WordPress instance, upload a backdoor or even establish a reverse connection).

We are processing your report and will contact the barrykooij/related-posts-for-wp team within 24 hours. a year ago
A GitHub Issue asking the maintainers to create a SECURITY.md exists a year ago
We have contacted a member of the barrykooij/related-posts-for-wp team and are waiting to hear back a year ago
We have sent a follow up to the barrykooij/related-posts-for-wp team. We will try again in 4 days. a year ago
Barry Kooij validated this vulnerability a year ago
und3sc0n0c1d0 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Juampa
a year ago

Researcher


@maintainer Is it okay with you if I am assigned a CVE for this vulnerability?

We have sent a fix follow up to the barrykooij/related-posts-for-wp team. We will try again in 7 days. a year ago
Barry Kooij
a year ago

Maintainer


@Juampa Rodríguez I'm not sure how to do that.

Barry Kooij
a year ago

Maintainer


Fixed on master branch https://github.com/barrykooij/related-posts-for-wp/commit/37733398dd88863fc0bdb3d6d378598429fd0b81

Will release update later today.

Juampa
a year ago

Researcher


@maintainer I will be happy to re-validate the vulnerability once I have the fixed version of your source code.

@admin, could you please provide me with a new CVE for this vulnerability?

Barry Kooij marked this as fixed in 2.1.3 with commit 377333 a year ago
Barry Kooij has been awarded the fix bounty
class-settings.php#L212 has been validated
This vulnerability has now been published a year ago
Ben Harvie
a year ago

Admin


This report has now been assigned a CVE as requested and it will publish momentarily. Happy hunting:)

to join this conversation