Back to all zero days
CSW Zero Days | Reflected Cross-Site Scripting in WordPress
Mar 25, 2022
Reflected Cross-Site Scripting attacks are also known as non-persistent attacks which occur when a malicious script is reflected back from a web application to the victim's browser. The script is activated through a link, which sends a request to the website with a vulnerability that enables the execution of malicious scripts.
Proof of concept: (POC)
After installing the Country Selector Plugin, go to the homepage of the WordPress site.
Capture all the requests and find the POST request to the AJAX call of check_country_selector.
Figure 01: Original AJAX Request
Enter the payload - <img+src=x+onerror=alert(document.cookie)> in the country parameter and <img+src=x+onerror=alert(document.cookie)> in the lang parameter.
Figure 02: Injected XSS Payloads in “country” and “lang” Parameter
Forward the request
Injected XSS payload will be reflected and triggered on the user’s browser.
Figure 04: The Default Cross-Site Scripting Mitigation Setting in wp.config file to Prevent XSS Attacks
An attacker can perform the following -
Inject malicious code into the vulnerable variable and exploit the application through the Cross-Site Scripting vulnerability.
Modify the code and get the session information of other users.
Compromise the user machine.
Perform context-sensitive encoding of entrusted input before it is echoed back to a browser using an encoding library throughout the application.
Implement input validation for special characters on all the variables that are reflected in the browser and stored in the database.
Explicitly set the character set encoding for each page generated by the webserver.
Encode dynamic output elements and filter specific characters in dynamic elements.
March 24, 2022: Discovered in `WordPress Country Selector Plugin Version 1.6.5` Product
March 25, 2022: Reported to Welaunch
March 29, 2022: Acknowledged by Welaunch
March 30, 2022: Vendor Released Patch for XSS Vulnerability
March 31, 2022: CSW Assigned the CVE-2022-28290
Cyber Security Works Pvt. Ltd.
- Affected VendorWelaunch
- Bug NameReflected Cross-Site Scripting
- CVE NumberCVE-2022-28290
- CWE IDCWE-79
- CSW ID2022-CSW-03-1055
- CVSSv3 Score6.1
- Affected VersionVersion 1.6.5
- Affected ProductWordPress Country Selector