Async Javascript < 2.20.02.27 - Subscriber+ Stored XSS via Plugin Settings Change



Description
"Async JavaScript’s settings are modified via calls to wp-admin/admin-ajax.php with the action aj_steps. This AJAX action is registered only for authenticated users, but no capabilities checks are made. Because of this, low-privilege users including Subscribers can modify the plugin’s settings."

Affects Plugin

fixed in version 2.20.02.27

References

URL https://www.wordfence.com/blog/2020/02/site-takeover-campaign-exploits-multiple-zero-day-vulnerabilities/

Classification

Type XSS
OWASP Top 10 A7: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Original Researcher Sean Murphy, QA Lead Matt Rusnak, and QA Engineer Ramuel Gall (Wordfence)
Views 2640
Verified No
WPVDB ID 10098

Timeline

Publicly Published 2020-02-27 (about 1 month ago)
Added 2020-02-28 (about 1 month ago)
Last Updated 2020-02-29 (about 1 month ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin