High privileged users can access and modify settings directly through the backend, which could lead to a cross-site scripting (XSS) vulnerability if unfiltered_html is disabled but the setting is accessed by other users. For example, in a multisite setup, the unfiltered_html capability must be disabled for the entire network and not just for one or few sites. The unfiltered_html setting should be set to Off by default in order to prevent any malicious users from accessing it directly through the WordPress dashboard and modifying it to include any malicious code. Unfortunately, due to the insecure nature of the unfiltered_html setting, and possibly due to a third-party plugin, the unfiltered_html setting was not properly sanitized when the Jeeng Push Notifications plugin was updated from 2.0.3 to 2.0.4. As a result, a malicious user could inject code directly into the setting through the WordPress dashboard, which when activated by other users would allow for XSS attacks to be executed.

References

A cross-site scripting (XSS) vulnerability was identified in the Jeeng Push Notifications plugin caused by improper sanitization of the unfiltered_html setting.
- https://wordpress.org/plugins/jeeng-push-notifications/
- https://wordpress.org/plugins/jeeng-push-notifications/versionhistory/#2.0.4

The unfiltered_html setting is not properly sanitized when updating from 2.0.3 to 2.0.4 of the Jeeng Push Notifications plugin

In order to prevent any malicious users from accessing it directly through the WordPress dashboard and modifying it to include any malicious code, the unfiltered_html setting should be set to Off by default in order to prevent any XSS vulnerabilities that may arise. Unfortunately, due to the insecure nature of the unfiltered_html setting, and possibly due to a third-party plugin, a malicious user could inject code directly into the setting through the WordPress dashboard when updating from 2.0.3 to 2.0.4 of the Jeeng Push Notifications plugin. This would allow for XSS attacks to be executed by other users who have activated this particular setting on their own WordPress site through using an authenticated session with a third-party plugin or theme update mechanism like automatic updates in WP 3.5+.

Vulnerability Found By:

The vulnerability was discovered by a user on the WordPress.org forums, who noticed that the Jeeng Push Notifications plugin contained an XSS vulnerability if unfiltered_html is disabled but the setting is accessed by other users.

Timeline

Published on: 11/28/2022 14:15:00 UTC
Last modified on: 11/30/2022 03:44:00 UTC

References