Persistent Cross-Site Scripting
-
III. DESCRIPTION
————————-
Has been detected a Persistent XSS vulnerability in Easy Table, that allows the execution of arbitrary HTML/script code to be executed in the context of the victim user’s browser.IV. PROOF OF CONCEPT
————————-
Malicious Request:
/wordpress/wp-admin/options-general.php?page=easy-tableeasy_table_plugin_option[shortcodetag]
easy_table_plugin_option[attrtag]
easy_table_plugin_option[class]
easy_table_plugin_option[width]
easy_table_plugin_option[border]
easy_table_plugin_option[align]
easy_table_plugin_option[limit]
easy_table_plugin_option[nl]
easy_table_plugin_option[terminator]
easy_table_plugin_option[delimiter]
easy_table_plugin_option[escape]In all of this parameters an attacker can inject for example “><script>alert(1)</script> to perform a attack of Persistent Cross-Site Scripting.
-
That page is only accessible to Administrator-level users and they normally are permitted to use the equivalent of cross-site scripting (XSS) due to them having the unfiltered_html capability, so them being able to do what is mentioned here wouldn’t be a vulnerability on its own. If that could be combined with cross-site request forgery (CSRF) when saving those values then there would be a vulnerability, but CSRF is prevented with proper use of a nonce. So there doesn’t look to be a vulnerability here, but it does look like it could be considered a bug.
The topic ‘Persistent Cross-Site Scripting’ is closed to new replies.
