Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2019-9909: Give 2.3.0 - Reflected XSS (WordPress Plugin)

The “Donation Plugin and Fundraising Platform” plugin before 2.3.1 for WordPress has wp-admin/edit.php csv XSS.

CVE
#xss#csrf#vulnerability#git#java#wordpress#php
  • Vulnerability: XSS
  • Affected Software: Give (50,000+ active installations)
  • Affected Version: 2.3.0
  • Patched Version: 2.3.1
  • Risk: Medium
  • Vendor Contacted: 11/24/2018
  • Vendor Fix: 12/13/2018
  • Public Disclosure: 02/05/2019

CVSS

6.1 Medium CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

The Give WordPress plugin is vulnerable to reflected XSS as it echoes various parameter without proper encoding.

Successful exploitation allows an attacker to execute JavaScript in the context of the application in the name of an attacked user. This in turn enables an attacker to bypass CSRF protection and thus perform any actions the legitimate user can perform, as well as read data which the user can access.

Proof of Concept

http://localhost/wordpress/wp-admin/edit.php?post_type=give_forms&page=give-tools&tab=import&importer-type=import_donations&step=3&mapto%5B0%5D=email&mapto%5B1%5D=first_name&mapto%5B2%5D=amount&mapto%5B3%5D=form_id&csv='"><img+src%3dx+onerror%3dalert(1)>

Code

public function start_import() {
    [...]
    <input type="hidden" value='<?php echo maybe_serialize( $_REQUEST['mapto'] ); ?>' name="mapto"
   class="mapto">
    <input type="hidden" value="<?php echo $_REQUEST['csv']; ?>" name="csv" class="csv">
    <input type="hidden" value="<?php echo $_REQUEST['mode']; ?>" name="mode" class="mode">
    <input type="hidden" value="<?php echo $_REQUEST['create_user']; ?>" name="create_user"
   class="create_user">
    <input type="hidden" value="<?php echo $_REQUEST['delete_csv']; ?>" name="delete_csv"
   class="delete_csv">
    <input type="hidden" value="<?php echo $delimiter; ?>" name="delimiter">
    <input type="hidden" value="<?php echo absint( $_REQUEST['dry_run'] ); ?>" name="dry_run">

Timeline

  • 11/24/2018 Asked for email address via contact form
  • 11/24/2018 Vendor responds, advisory sent
  • 12/13/2018 Vendor releases fix
  • 02/05/2019 Confirmed fix & Disclosure

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907