WordPress Plugin – EU Cookie Law (GDPR) – Stored XSS (CVE-2019-16522)
The
eu-cookie-law plugin through 3.0.6 for WordPress (aka EU Cookie Law (GDPR)) is
susceptible to Stored XSS due to improper encoding of several configuration
options in the admin area and the displayed cookie consent message.
This
affects Font Color, Background Color, and the Disable Cookie text.
An
authenticated attacker with high privileges (admin) can attack other users and
execute JavaScript code in a victim’s browser.
The impact
depends on the level of access of the attacked user.
Full security advisory: https://github.com/sbaresearch/advisories/tree/public/2019/SBA-ADV-20190913-01_WordPress_Plugin_EU_Cookie_Law
WordPress
Plugin – Broken Link Checker – Reflected XSS (CVE-2019-16521)
The
broken-link-checker plugin through 1.11.8 for WordPress (aka Broken Link
Checker) is susceptible to Reflected XSS due to improper encoding and insertion
of an HTTP GET parameter into HTML.
The filter
function on the page listing all detected broken links can be exploited by
providing an XSS payload in the s_filter GET parameter in a filter_id=search
request. NOTE: this is an end-of-life product.
An external
attacker without any privileges can execute JavaScript code in a victim’s
browser.
The impact
depends on the level of access of the attacked user.
In case of
an admin this can lead to the execution of PHP code.
Full security advisory: https://github.com/sbaresearch/advisories/tree/public/2019/SBA-ADV-20190913-02_WordPress_Plugin_Broken_Link_Checker
WordPress
Plugin – Events Manager – Stored XSS (CVE-2019-16523)
The
events-manager plugin before 5.9.6 for WordPress (aka Events Manager) is
susceptible to Stored XSS due to improper encoding and insertion of data
provided to the attribute map_style of shortcodes (locations_map and
events_map).
The plugin
provides shortcodes to create a map widget e.g.
for displaying the location of an event. Those maps can be visually adjusted by
providing a custom style via the attribute map_style in the
shortcode. The usage of HTML inside shortcode attributes is limited in order to prevent XSS. However in this
case it is possible to inject arbitrary HTML and JavaScript because
the map_style attribute expects a base64-encoded JSON-object. This
allows bypassing sanitization. The
shortcodes locations_map and events_map are affected by
this problem.
An
authenticated attacker with the ability to create posts can execute JavaScript
code in a victim’s browser.
The impact
depends on the level of access of the attacked user.
In case of
an admin this can lead to the execution of PHP code.
Full security advisory: https://github.com/sbaresearch/advisories/tree/public/2019/SBA-ADV-20190913-03_WordPress_Plugin_Events_Manager
WordPress
Plugin – All in One SEO Pack – Stored XSS (CVE-2019-16520)
The
all-in-one-seo-pack plugin before 3.2.7 for WordPress (aka All in One SEO Pack)
is susceptible to Stored XSS due to improper encoding of the SEO-specific
description for posts provided by the plugin via unsafe placeholder
replacement.
The plugin
adds several fields to the page where a post can be created or edited. This
allows setting a custom title and description for each post.
The
information provided there, will be inserted in corresponding meta-tags on the
page of the post. The values of the fields are escaped before they are inserted
into the HTML of the page.
However, if
an attacker sets a payload in the title field and provides a placeholder for
the value of the title field in the description field, the raw value of the
title field will get inserted in the description.
The
description is not sanitized or encoded afterwards. This allows the attacker to
break out of the meta-tag attribute and insert arbitrary HTML and JavaScript.
An
authenticated attacker with the ability to create posts can execute JavaScript
code in a victim’s browser.
The impact
depends on the level of access of the attacked user.
In case of
an admin this can lead to the execution of PHP code.
Full
security advisory: https://github.com/sbaresearch/advisories/tree/public/2019/SBA-ADV-20190913-04_WordPress_Plugin_All_in_One_SEO_Pack