Description
The Announce from the Dashboard plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Severity
4.4 (Medium) - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
Affected Version
<= 1.5.2
Fixed / Patched Version
1.5.3
PoC :
- Install
- Go To Settings/ Announce from the Dashboard
- Add New
- Input this payload on Announce content
<script>alert('eneriiii<3')</script> - Pick any user role & save
- Try login to that account with spesific role, payload executed.
Reference
- https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/announce-from-the-dashboard/announce-from-the-dashboard-152-authenticated-admin-stored-cross-site-scripting
- https://www.cve.org/CVERecord?id=CVE-2024-2963