CVE-2023-0448

An unauthenticated attacker crafts a URL containing a malicious payload in any GET parameter and sends it to the `admin-ajax.php` endpoint with the `action=surveySubmit` parameter [ref_id=1]. Because the plugin reflects all GET parameters unsanitized in the response, the payload executes in the victim's browser when they visit the crafted link [ref_id=1]. The vulnerability is a reflected cross-site scripting (XSS) issue [CWE-79].

The vulnerable code is in the function `surveySubmit_func()` of the file `includes/class-mbwp-helper.php` [ref_id=1]. The plugin returns all GET parameters in the response to the `surveySubmit` action without any sanitization [ref_id=1].

The advisory states that the fix is included in version 4.3 of the WP Helper Lite plugin [ref_id=1]. No patch diff is provided in the bundle, but the remediation requires sanitizing or escaping all GET parameters before reflecting them in the response to the `surveySubmit` action [ref_id=1].

Visit the following URL, replacing TARGET_HOST with the WordPress instance: `http://TARGET_HOST/wp-admin/admin-ajax.php?action=surveySubmit&aaa=xxx">