WordPress Plugin RSS for Yandex Turbo 1.29 - Stored Cross-Site Scripting (XSS)

vendor:

RSS for Yandex Turbo

by:

Himamshu Dilip Kulkarni

8.8

CVSS

HIGH

Stored Cross-Site Scripting (XSS)

CWE

Product Name: RSS for Yandex Turbo

Affected Version From: 1.29

Affected Version To: 1.29

Patch Exists: NO

Related CWE: N/A

CPE: a:wordpress:wordpress

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Windows

2021

WordPress Plugin RSS for Yandex Turbo 1.29 – Stored Cross-Site Scripting (XSS)

A stored cross-site scripting (XSS) vulnerability exists in WordPress Plugin RSS for Yandex Turbo 1.29. An attacker can inject malicious JavaScript payloads into the user input fields of the plugin and when the mouse cursor is moved over these fields, the payloads get executed and a pop-up is displayed.

Mitigation:

The user should ensure that all user input is properly sanitized and validated before being stored in the database.

Source

Exploit-DB raw data:

# Exploit Title: WordPress Plugin RSS for Yandex Turbo 1.29 - Stored Cross-Site Scripting (XSS)
# Date: 17/04/2021
# Exploit Author: Himamshu Dilip Kulkarni
# Software Link: https://wordpress.org/plugins/rss-for-yandex-turbo/
# Version: 1.29
# Tested on: Windows

#Steps to reproduce vulnerability:

1. Install WordPress 5.6
2. Install and activate "RSS for Yandex Turbo" plugin.
3. Navigate to Setting >> Яндекс.Турбо >> Счетчики and enter the data into all the six user input field and submit the request.
4. Capture the request into burp suite and append the following mentioned JavaScript payloads (one payload per parameter)
"+onmouseover="alert(1)
"+onmouseover="alert(2)
"+onmouseover="alert(3)
"+onmouseover="alert(4)
"+onmouseover="alert(5)
"+onmouseover="alert(6)
5. You will observe that the payloads got successfully stored into the database and when you move the mouse cursor over these fields the JavaScript payloads get executed successfully and we get a pop-up.