WordPress Plugin – EU Cookie Law (GDPR) – Stored XSS (CVE-2019-16522)
The eu-cookie-law plugin through 3.0.6 for WordPress (aka EU Cookie Law (GDPR)) is susceptible to Stored XSS due to improper encoding of several configuration options in the admin area and the displayed cookie consent message.
This affects Font Color, Background Color, and the Disable Cookie text. An authenticated attacker with high privileges (admin) can attack other users and execute JavaScript code in a victim’s browser. The impact depends on the level of access of the attacked user.
WordPress Plugin – Broken Link Checker – Reflected XSS (CVE-2019-16521)
The broken-link-checker plugin through 1.11.8 for WordPress (aka Broken Link Checker) is susceptible to Reflected XSS due to improper encoding and insertion of an HTTP GET parameter into HTML.
The filter function on the page listing all detected broken links can be exploited by providing an XSS payload in the s_filter GET parameter in a filter_id=search request. NOTE: this is an end-of-life product.
An external attacker without any privileges can execute JavaScript code in a victim’s browser. The impact depends on the level of access of the attacked user. In case of an admin this can lead to the execution of PHP code.
WordPress Plugin – Events Manager – Stored XSS (CVE-2019-16523)
The events-manager plugin before 5.9.6 for WordPress (aka Events Manager) is susceptible to Stored XSS due to improper encoding and insertion of data provided to the attribute map_style of shortcodes (locations_map and events_map).
The plugin provides shortcodes to create a map widget e.g. for displaying the location of an event. Those maps can be visually adjusted by providing a custom style via the attribute map_style in the shortcode. The usage of HTML inside shortcode attributes is limited in order to prevent XSS. However in this case it is possible to inject arbitrary HTML and JavaScript because the map_style attribute expects a base64- encoded JSON-object. This allows bypassing sanitization. The shortcodes locations_map and events_map are affected by this problem.
An authenticated attacker with the ability to create posts can execute JavaScript code in a victim’s browser. The impact depends on the level of access of the attacked user. In case of an admin this can lead to the execution of PHP code.
WordPress Plugin – All in One SEO Pack – Stored XSS (CVE-2019-16520)
The all-in-one-seo-pack plugin before 3.2.7 for WordPress (aka All in One SEO Pack) is susceptible to Stored XSS due to improper encoding of the SEO-specific description for posts provided by the plugin via unsafe placeholder replacement.
The plugin adds several fields to the page where a post can be created or edited. This allows setting a custom title and description for each post. The information provided there, will be inserted in corresponding meta-tags on the page of the post. The values of the fields are escaped before they are inserted into the HTML of the page.
However, if an attacker sets a payload in the title field and provides a placeholder for the value of the title field in the description field, the raw value of the title field will get inserted in the description. The description is not sanitized or encoded afterwards. This allows the attacker to break out of the meta-tag attribute and insert arbitrary HTML and JavaScript.
An authenticated attacker with the ability to create posts can execute JavaScript code in a victim’s browser. The impact depends on the level of access of the attacked user. In case of an admin this can lead to the execution of PHP code.