GD bbPress Attachments <= 2.5 - Authenticated Stored XSS



Description
An authenticated user of a bbPress forum, who can attach a file, can inject arbitrary JavaScript code via the image filename. The arbitrary code runs both on the topic page and in the admin panel, and it only affects the administrators, moderators and the attacker.

The variable $error[‘file’] in /code/attachments/front.php (line 349) is not escaped.

Affects Plugin

fixed in version 2.6

References

URL https://www.gubello.me/blog/gd-bbpress-attachments-2-5-authenticated-stored-xss/
URL https://www.dev4press.com/blog/plugins/2018/gd-bbpress-attachments-2-6/
URL https://plugins.trac.wordpress.org/changeset/1865293/gd-bbpress-attachments
Youtube Video

Classification

Type XSS
OWASP Top 10 A7: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Submitter Luigi
Submitter Website https://www.gubello.me/blog/
Views 6212
Verified No
WPVDB ID 9082

Timeline

Publicly Published 2018-05-14 (about 2 years ago)
Added 2018-05-14 (about 2 years ago)
Last Updated 2020-04-15 (about 1 month ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin