WTI Like Post <= 1.4.5 - Authenticated Stored Cross-Site Scripting (XSS)



Description
A Stored XSS vulnerability has been found in the administration page of the WTI Like Post plugin 1.4.4 for WordPress. Once the administrator has submitted the crafted data, the script stored is executed for all the users visiting the public posts.


Edit (WPScanTeam):
March 27th, 2020 - Report received. v1.4.5 released on March 11th, 2020 attempted to fix the issue, however the fix is not sufficient (done only client side). Furthermore, payloads with events  still works. Emailed the researcher back, who then contacted the authors about it.
April 7th, 2020 - Authors replied to researcher that they "will make further improvements on this."
April 22nd, 2020 - Asked for updates to researcher
April 28th 2020 - No update from authors via researcher, escalated to WP Plugin team.
May 1st, 2020 - Plugin closed for review
Proof of Concept The PoC will be displayed once the issue has been remediated.

Affects Plugin

no known fix
- plugin closed

References

CVE 2020-8799

Classification

Type XSS
OWASP Top 10 A7: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Original Researcher Davide Bernardi
Submitter Davide Bernardi
Submitter Website https://www.linkedin.com/in/davide-bernardi-9352182/
Views 894
Verified Yes
WPVDB ID 10210

Timeline

Publicly Published 2020-05-02 (24 days ago)
Added 2020-05-02 (23 days ago)
Last Updated 2020-05-04 (21 days ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin