Ultimate FAQ < 1.8.30 - Unauthenticated Reflected XSS



Description
The HTML code generated by the FAQ shortcode does not sanitise the Display_FAQ GET parameter, leading to an unauthenticated reflected Cross-Site Scripting issue on pages where such shortcode is used.
Proof of Concept
Append the following payload on a page where a FAQ is embedded: ?Display_FAQ=</script><svg/onload=alert(/XSS/)>

Affects Plugin

fixed in version 1.8.30

References

CVE 2020-7107
URL https://plugins.trac.wordpress.org/changeset/2222959

Classification

Type XSS
OWASP Top 10 A7: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Original Researcher Ryan Knell
Views 132486
Verified Yes
WPVDB ID 10006

Timeline

Publicly Published 2020-01-06 (6 months ago)
Added 2020-01-07 (6 months ago)
Last Updated 2020-01-17 (6 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin