WordPress WebinarIgnition Plugin <= 2.14.2 is vulnerable to Cross Site Scripting (XSS)

Vulnerability

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Saleswonder.Biz Webinar ignition plugin <= 2.14.2 versions. The vulnerability is present in the WordPress plugin WebinarIgnition – Live, Automated & Evergreen Webinar System also for WooCommerce, as described in [1]. Privileged users with admin access can inject persistent scripts that are stored on the server and executed in the context of other users' browsers when the stored data is rendered.

Exploitation

An attacker must have existing admin-level credentials (admin+) to exploit this vulnerability. The attacker can inject malicious JavaScript into input fields that are not properly sanitized, causing the script to be stored. When other users (including other administrators or visitors) load affected pages, the injected script executes automatically. No additional user interaction beyond viewing the page is required from victims [1].

Impact

Successful exploitation results in Stored XSS, allowing the attacker to execute arbitrary JavaScript in the browser of any user viewing the affected page. This can lead to session hijacking, defacement, redirection to malicious sites, or theft of sensitive data like cookies and authentication tokens. The attack operates at the privilege level of the victim, which could be high if an admin views the injected content [1].

Mitigation

The vulnerability exists in WebinarIgnition plugin version 2.14.2 and earlier. As of April 2023, no fixed version was available, and the plugin's listing on WordPress.org [1] shows version 4.10.32 but does not explicitly state a security fix for this CVE. Users should update to the latest available version (4.10.32 or later) if it addresses the issue, or consider disabling the plugin until a vendor-confirmed security patch is released. The CVE is not listed in the CISA Known Exploited Vulnerabilities catalog at the time of publication [1].