WordPress Plugin KN Fix Your Title 1.0.1 - 'Separator' Stored Cross-Site Scripting (XSS)

vendor:

KN Fix Your Title

by:

Aakash Choudhary

9,8

CVSS

HIGH

Stored Cross-Site Scripting (XSS)

CWE

Product Name: KN Fix Your Title

Affected Version From: 1.0.1

Affected Version To: 1.0.1

Patch Exists: Yes

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Mac

2021

WordPress Plugin KN Fix Your Title 1.0.1 – ‘Separator’ Stored Cross-Site Scripting (XSS)

A stored cross-site scripting (XSS) vulnerability exists in WordPress Plugin KN Fix Your Title 1.0.1. An attacker can inject malicious JavaScript code into the 'Separator' input field and when the same functionality is triggered, the malicious code will be executed in the victim's browser.

Mitigation:

Update to the latest version of the plugin.

Source

Exploit-DB raw data:

# Exploit Title: WordPress Plugin KN Fix Your Title 1.0.1 - 'Separator' Stored Cross-Site Scripting (XSS)
# Date: 19/07/2021
# Exploit Author: Aakash Choudhary
# Software Link: https://wordpress.org/plugins/kn-fix-your/
# Version: 1.0.1
# Category: Web Application
# Tested on Mac

How to Reproduce this Vulnerability:

1. Install WordPress 5.7.2
2. Install and activate KN Fix Your Title
3. Navigate to Fix Title under Settings Tab >> Click on I have done this and enter the XSS payload into the Separator input field.
4. Click Save Changes.
5. You will observe that the payload successfully got stored into the database and when you are triggering the same functionality at that time JavaScript payload is executing successfully and we are getting a pop-up.
6. Payload Used: "><script>alert(document.cookie)</script>