Back in October 2023, I was working on finding vulnerabilities in WordPress plugins.
Among one of them, I found a vulnerability from WP Crowdfunding which had a 100K + download.
It was a Stored XSS vulnerability that occurs in WP Crowdfunding version <= 2.1.8.
What is WP Crowdfunding?
WP Crowdfunding is a plugin that enables you to run Crowdfunding on WordPress websites in just a few clicks.
Vulnerability found in Source Code
So I was auditing the plugin source code, and I found a code that which it seems to be vulnerable.
In Reward.php, it has a reward_function.
The function has an explanation that
The details are being saved to tab data. Whenever the user views the crowdfunding page, the web frontend renders the page according to the saved data. However, ‘wpneo_rewards_description’ does not have any kind of sanitization, inserting malicious scripts here results in Stored XSS.
Proof of Concept
In the campaign creation form, there is a form that gets ‘Reward’. Inserting javascript code here will save the script to ‘wpneo_rewards_description’. Then, when users view the created campaign, the Stored XSS will be executed.
Impact of the Vulnerability
Since the default settings of the plugin allow ‘customer’ to create campaigns, this is a very serious security vulnerability. When an attacker creates a new account, it will have a ‘customer’ role. After that, an attacker can perform Stored XSS through campaign creation. This can be led to account takeover by stealing cookies. It can also takeover admin’s account if admin’s cookie is stolen.
Reporting and the Result
I reported this security vulnerability and got CVE-2023-5757 assigned! The string sanitization was added to the original code and the security issues are now resolved.
