Back to all zero days
CSW Zero Days | Reflected Cross-Site Scripting in WordPress
Affected Vendor
Welaunch
Status
Fixed
Date
Mar 25, 2022

Medium Severity
Description
Reflected Cross-Site Scripting attacks are also known as non-persistent attacks which occur when a malicious script is reflected back from a web application to the victim's browser. The script is activated through a link, which sends a request to the website with a vulnerability that enables the execution of malicious scripts.
Proof of concept: (POC)
-
After installing the Country Selector Plugin, go to the homepage of the WordPress site.
-
Capture all the requests and find the POST request to the AJAX call of check_country_selector.
Figure 01: Original AJAX Request
-
Enter the payload - <img+src=x+onerror=alert(document.cookie)> in the country parameter and <img+src=x+onerror=alert(document.cookie)> in the lang parameter.
Figure 02: Injected XSS Payloads in “country” and “lang” Parameter
-
Forward the request
-
Injected XSS payload will be reflected and triggered on the user’s browser.
Figure 03: Injected JavaScript Code for “lang” and “country” Parameters is Executed On The User’s Browser
Figure 04: The Default Cross-Site Scripting Mitigation Setting in wp.config file to Prevent XSS Attacks
Impact
An attacker can perform the following -
-
Inject malicious code into the vulnerable variable and exploit the application through the Cross-Site Scripting vulnerability.
-
Modify the code and get the session information of other users.
-
Compromise the user machine.
Remediations
-
Perform context-sensitive encoding of entrusted input before it is echoed back to a browser using an encoding library throughout the application.
-
Implement input validation for special characters on all the variables that are reflected in the browser and stored in the database.
-
Explicitly set the character set encoding for each page generated by the webserver.
-
Encode dynamic output elements and filter specific characters in dynamic elements.
Timeline
March 24, 2022: Discovered in `WordPress Country Selector Plugin Version 1.6.5` Product
March 25, 2022: Reported to Welaunch
March 29, 2022: Acknowledged by Welaunch
March 30, 2022: Vendor Released Patch for XSS Vulnerability
March 31, 2022: CSW Assigned the CVE-2022-28290
Discovered by
Cyber Security Works Pvt. Ltd.
- Affected VendorWelaunch
- Bug NameReflected Cross-Site Scripting
- CVE NumberCVE-2022-28290
- CWE IDCWE-79
- CSW ID2022-CSW-03-1055
- CVSSv3 Score6.1
- Affected VersionVersion 1.6.5
- SeverityMedium
- Affected ProductWordPress Country Selector


