CVE-2022-50797

Vulnerability

Stripe Green Downloads Wordpress Plugin 2.03 contains a persistent cross-site scripting (XSS) vulnerability in the button label fields. Input parameters are not properly sanitized before being stored and rendered, allowing an attacker to inject arbitrary HTML and JavaScript code [1][3]. The issue is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) [3].

Exploitation

Exploitation requires restricted authentication, specifically moderator-level privileges, and low user interaction [1]. An attacker with moderator access can inject malicious scripts into the button label settings. When other users (including administrators) view or interact with those buttons in the admin panel or on the front-end, the injected script executes in their browser [1][3].

Impact

Successful exploitation could lead to session hijacking by stealing cookies or tokens, manipulation of application modules, and performing actions on behalf of the victim user [1][3]. The attacker's script operates within the context of the affected WordPress site, potentially compromising sensitive data or functionality.

Mitigation

Users should upgrade to a patched version of the plugin if available, or apply input sanitization as a workaround. As of the public disclosure date (2022-10-17) and the latest reference, version 2.03 is confirmed vulnerable [1]. No vendor-supplied patch has been referenced in the advisory.