Stored Cross Site Scripting (XSS) in parameter rp4wp[heading_text] in barrykooij/related-posts-for-wp
Reported on
Oct 5th 2022
Description
The Related Posts for WordPress plugin is vulnerable to stored XSS, specifically in the rp4wp[heading_text] parameter because the user input is not properly sanitized, allowing the insertion of JavaScript code that can exploit the vulnerability.
Proof of Concept
1 - Install and activate version 2.1.2 of the plugin.
2 - Go to the plugin settings panel (http://[TARGET]/wp-admin/options-general.php?page=rp4wp).
3 - Insert the following payload in the "Heading text" field:
" autofocus onfocus=alert(/XSS/)>
4 - Save the changes and immediately the popup window demonstrating the vulnerability (PoC) will be executed.
Evidence
Impact
This vulnerability would potentially allow attackers to hijack the user's current session, steal relevant information, deface the website or direct users to malicious websites, and there is even the possibility of escalating the level of exploitation or more advanced attacks (for example, create privileged users on the WordPress instance, upload a backdoor or even establish a reverse connection).
Occurrences
@maintainer Is it okay with you if I am assigned a CVE for this vulnerability?
Fixed on master branch https://github.com/barrykooij/related-posts-for-wp/commit/37733398dd88863fc0bdb3d6d378598429fd0b81
Will release update later today.
@maintainer I will be happy to re-validate the vulnerability once I have the fixed version of your source code.
@admin, could you please provide me with a new CVE for this vulnerability?
This report has now been assigned a CVE as requested and it will publish momentarily. Happy hunting:)