Jekyll2026-01-26T00:12:27+07:00https://advisory-akbar.kustirama.id//feed.xmladvisory.abay.shWhere I pretend to know things and spot for my brain dumps.abayakbar@kustirama.idCVE-2024-37389 — Apache NiFi Improper Neutralization of Input in Parameter Context Description2024-06-07T00:00:00+07:002024-06-07T00:00:00+07:00https://advisory-akbar.kustirama.id//cve-2024-37389Apache NiFi 1.10.0 through 1.26.0 and 2.0.0-M1 through 2.0.0-M3 support a description field in the Parameter Context configuration that is vulnerable to cross-site scripting. An authenticated user, authorized to configure a Parameter Context, can enter arbitrary JavaScript code, which the client browser will execute within the session context of the authenticated user. Upgrading to Apache NiFi 1.27.0 or 2.0.0-M4 is the recommended mitigation.

This issue is being tracked as NIFI-13374

Proof of Concepts

Apache NiFi allows users to add comments to a Parameter Context. However, the input for this comments was not properly sanitized, leading to a Cross-Site Scripting (XSS) vulnerability. This could allow malicious users to inject and execute arbitrary scripts, posing significant security risks.

  1. Create a new Parameter Context with XSS payload in the comment section.
  2. Create a new Process Group. While the popup shows, hover the cursor to the “?” icon to trigger XSS.

XSS Payload will triggered once you hover in the ? icon for description in tooltip.

Impact

An authenticated user, authorized to configure a Parameter Context, can enter arbitrary JavaScript code, which the client browser will execute within the session context of the authenticated user.

]]>abayakbar@kustirama.idCVE-2023-6487 — LuckyWP Table of Contents <= 2.1.4 - Authenticated Cross-Site Scripting2024-05-21T00:00:00+07:002024-05-21T00:00:00+07:00https://advisory-akbar.kustirama.id//cve-2023-6487The LuckyWP Table of Contents plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘Header Title’ field in all versions up to and including 2.1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Proof of Concepts

The plugin provides features for custom Header Titles. The form was not sanitized, causing an XSS vulnerability

  1. Open Table of Contents Settings /wp-admin/options-general.php?page=lwptoc_settings&tab=general
  2. Add the XSS payload to the Header Title Contents<img src onerror=alert(/XSS/)>

The XSS payload will be triggered when a page with a Table of Contents is opened

Impact

This makes it possible for authenticated attackers, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

]]>abayakbar@kustirama.idCVE-2024-0598 — Gutenberg Blocks by Kadence Blocks &lt;= 3.2.17 Editor+ Stored Cross-Site Scritpting via Slider Callback2024-04-09T00:00:00+07:002024-04-09T00:00:00+07:00https://advisory-akbar.kustirama.id//cve-2024-0598The Gutenberg Blocks by Kadence Blocks – Page Builder Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the contact form message settings in all versions up to and including 3.2.17 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This primarily affects multi-site installations and installations where unfiltered_html has been disabled.

The plugin provides a feature to customize “Message Settings” that means alert message that shown after form is submitted. These input is not sanitized, causing an XSS vulnerability.

Proof of Concepts

  1. Create New Post
  2. Add “Form (Adv)” block then Create New form
  3. Select “Contact” form and so on until the form is shown in your page
  4. On your sidebar, there’s Message Settings which a setting for message after form being submitted.
  5. Put XSS payload on “Success Message” <img src onerror=alert(/XSS/)>

Open the created post and fill the form. XSS Payload will triggered after you submit the form.

Impact

This makes it possible for authenticated attackers, with Editor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

]]>abayakbar@kustirama.idCVE-2023-6486 — Spectra – WordPress Gutenberg Blocks &lt;= 2.10.3 Contributor+ Stored Cross-Site Scritpting via Slider Callback2024-04-03T00:00:00+07:002024-04-03T00:00:00+07:00https://advisory-akbar.kustirama.id//cve-2023-6486The Spectra – WordPress Gutenberg Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Custom CSS metabox in all versions up to and including 2.10.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

The plugin provides a Custom CSS option via Spectra Page Settings when creating a new post. However CSS input is not properly sanitized which can lead to XSS vulnerabilities.

Proof of Concepts

  1. Create a new post via /wp-admin/post-new.php
  2. Click the Three Dots at the top right of your screen then select Spectra Page Settings.
  3. Enter the payload </style><script>alert('Spectra XSS')</script><style> in the Custom CSS column
  4. Fill in the post title and body content with whatever value you want

The XSS payload will be triggered when anyone (including the admin) opens the post entry created.

Impact

This makes it possible for authenticated attackers, with Contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

]]>abayakbar@kustirama.idCVE-2023-4839 — WP Go Maps &lt;= 9.0.32 Administrator+ Stored Cross-Site Scritpting via Slider Callback2024-03-12T00:00:00+07:002024-03-12T00:00:00+07:00https://advisory-akbar.kustirama.id//cve-2023-4839The WP Go Maps for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 9.0.32 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Proof of Concepts

  1. Go to the plugin page (/wp-admin/admin.php?page=master-slider) then create a new slider.
  2. Open the Slider that you have created then go to the Slider Callbacks tab
  3. Click “Add new callback” with any conditions (ex: On Youtube/Vimeo video close), then enter the XSS payload. 
    function(event){
 var api = event.target;
 </script><img src onerror=alert(/XSS/)>
}
  4. Create a new Post using the shortcode for the slider that has been created

If we directly use alert(\xss\), the XSS payload will not be triggered because it does not meet the required conditions. However, we bypass this condition using the closing script (</script>).

Impact

This makes it possible for authenticated attackers, with Administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

]]>abayakbar@kustirama.idCVE-2024-0611 — Master Slider – Responsive Touch Slider &lt; 3.9.5 Editor+ Stored Cross-Site Scritpting via Slider Callback2024-03-01T00:00:00+07:002024-03-01T00:00:00+07:00https://advisory-akbar.kustirama.id//cve-2024-0611The Master Slider – Responsive Touch Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the slides callback functionality in all versions up to, and including, 3.9.5. This makes it possible for authenticated attackers, with editor-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

This plugin provides a feature to customize Slider Callbacks via script (javascript). I know that the admin could just enter alert(\\xss\\) and this report would not be in scope. However, this plugin requires certain conditions that trigger this script, such as “On slider Init” or “On Youtube/Vimeo video close”.

Proof of Concepts

  1. Go to the plugin page (/wp-admin/admin.php?page=master-slider) then create a new slider.
  2. Open the Slider that you have created then go to the Slider Callbacks tab
  3. Click “Add new callback” with any conditions (ex: On Youtube/Vimeo video close), then enter the XSS payload. 
    function(event){
 var api = event.target;
 </script><img src onerror=alert(/XSS/)>
}
  4. Create a new Post using the shortcode for the slider that has been created

If we directly use alert(\xss\), the XSS payload will not be triggered because it does not meet the required conditions. However, we bypass this condition using the closing script (</script>).

Impact

This makes it possible for authenticated attackers, with editor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

]]>abayakbar@kustirama.idCVE-2024-0614 — Events Manager &lt;= 6.4.6.4 Administrator+ Stored Cross-Site Scritpting via Settings2024-02-28T00:00:00+07:002024-02-28T00:00:00+07:00https://advisory-akbar.kustirama.id//cve-2024-0614The Events Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 6.4.6.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Proof of Concepts

  1. Go to plugin’s setting page /wp-admin/edit.php?post_type=event&page=events-manager-options#general
  2. Under Privacy tab, input XSS Payload in Consent Text form <img src onerror=alert(/XSS/)>I consent to my submitted data being collected and stored as outlined by the site %s.
  3. Create new event and check “Enable registration for this event”

XSS Payload will triggered on Event Page

Impact

This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

]]>abayakbar@kustirama.idCVE-2024-0602 — Yet Another Related Posts Plugin (YARPP) &lt;= 5.30.9 - Authenticated(Administrator+) Stored Cross-Site Scripting via settings2024-02-20T00:00:00+07:002024-02-20T00:00:00+07:00https://advisory-akbar.kustirama.id//cve-2024-0602The YARPP – Yet Another Related Posts Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 5.30.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

The plugin provides a feature to customize wording for “excerpt”. These input is not sanitized, causing an XSS vulnerability.

Proof of Concepts

  1. Open YARPP Setting page /wp-admin/options-general.php?page=yarpp
  2. Scroll to section “Automatic Discplay Options”
  3. Put XSS Payload in “Before / after (excerpt): “ ` <img src onerror=alert(/XSS/)>`

Impact

This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

]]>abayakbar@kustirama.idCVE-2024-0604 — Best WordPress Gallery Plugin – FooGallery &lt;= 2.4.7 -Authenticated(Administrator+) Stored Cross-Site Scripting via settings2024-02-14T00:00:00+07:002024-02-14T00:00:00+07:00https://advisory-akbar.kustirama.id//cve-2024-0604The Best WordPress Gallery Plugin – FooGallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.4.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Proof of Concepts

  1. Open plugin setting and go to Language section /wp-admin/edit.php?post_type=foogallery&page=foogallery-settings#language
  2. Put XSS Payload ‘Image Viewer “Prev” Text’ form Prev</script><img src onerror=alert(/XSS/)>
  3. Create new Gallery and put the shortcode in a new post

XSS Payload will triggered in the created post.

var FooGallery_il8n = {"template":{"image-viewer":{"prev":"Prev</script><img src onerror=alert(/XSS/)>"}}};

Note: All form in **Image Viewer Template** is vulnerable to XSS

Impact

This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

]]>abayakbar@kustirama.idCVE-2024-0621 — Simple Share Buttons Adder &lt;= 8.4.11 - Authenticated(Administrator+) Stored Cross-Site Scripting via CSS Settings2024-02-14T00:00:00+07:002024-02-14T00:00:00+07:00https://advisory-akbar.kustirama.id//cve-2024-0621The Simple Share Buttons Adder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 8.4.11 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

The plugin provides a feature to customize style, but we can escape the </style>. These input is not sanitized, causing an XSS vulnerability.

Proof of Concepts

  1. Open plugin setting then go to “Advanced Setting” tab /wp-admin/options-general.php?page=simple-share-buttons-adder
  2. Insert XSS Payload in “Custom CSS” form </style><img src onerror=alert(/XSS/)>
  3. Set where your share button location

XSS Payload will triggered in the created post .

Impact

This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

]]>abayakbar@kustirama.id