Lucene search

YoshiKenWPEX-ID:36E8EFE8-B29F-4C9E-9DD5-3E317AA43E0C

HistorySep 21, 2021 - 12:00 a.m.

Request a Quote < 2.3.5 - Admin+ Stored Cross-Site Scripting

2021-09-2100:00:00

YoshiKen

264

admin

stored

cross-site scripting

payloads

vulnerable field

validation

client side

server side

web browser

attachments section

maximum files

file size

file extensions

exploit

EPSS

0.001

Percentile

24.8%

JSON

The plugin does not sanitise, validate or escape some of its settings in the admin dashboard, leading to authenticated Stored Cross-Site Scripting issues even when the unfiltered_html capability is disallowed.

As admin, put the below payloads in the related vulnerable field/s and save them (there is some validation done client side for the Maximum fields, but won't be done server side, so either repeat the request with the payloads, or inject the fields in the web browser and change them to text type)

Affected fields and related payloads:
- Base Slug (request_a_quote_ent_map_list[emd_quote][rewrite]): '><script>alert(/XSS/)</script>

Attachments Section
- Maximum files (request_a_quote_ent_map_list[emd_quote][max_files][emd_contact_attachment]): "><script>alert(/XSS/)</script>
- Maximum file size (request_a_quote_ent_map_list[emd_quote][max_file_size][emd_contact_attachment]): "><script>alert(/XSS/)</script>
- Allowed file extensions (request_a_quote_ent_map_list[emd_quote][file_exts][emd_contact_attachment]): </textarea><script>alert(/XSS/)</script>

EPSS

0.001

Percentile

24.8%

JSON

Related for WPEX-ID:36E8EFE8-B29F-4C9E-9DD5-3E317AA43E0C