← Advisories

WordPress Plugin OneSignal 1.17.5 Persistent Cross-Site Scripting

Medium
Advisory ID
ZSL-2019-5530
Release Date
18 July 2019
Vendor
iWT Ltd. - https://www.onesignal.com
Affected Version
1.17.5
CVE
CVE-2019-15827
Tested On
WordPress 5.2.2, Apache/2.4.39, PHP/7.1.30
Summary

OneSignal is a high volume and reliable push notification service for websites and mobile applications. We support all major native and mobile platforms by providing dedicated SDKs for each platform, a RESTful server API, and an online dashboard for marketers to design and send push notifications.

Description

The application suffers from an authenticated stored XSS via POST request. The issue is triggered when input passed via the POST parameter 'subdomain' is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Proof of Concept
wordpress-onesignal-xss.htmlTXT
Disclosure Timeline
N/A
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]https://wordpress.org/plugins/onesignal-free-web-push-notifications/
[2]https://www.exploit-db.com/exploits/47136
[3]https://packetstormsecurity.com/files/153682
[4]https://cxsecurity.com/issue/WLB-2019070091
[5]https://exchange.xforce.ibmcloud.com/vulnerabilities/164034
[6]https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15827
[7]https://nvd.nist.gov/vuln/detail/CVE-2019-15827
[8]https://wpscan.com/vulnerability/9478
[9]https://wpvulndb.com/vulnerabilities/9478
[10]https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/onesignal-free-web-push-notifications/onesignal-web-push-notifications-1177-stored-cross-site-scripting
Changelog
18.07.2019Initial release
19.07.2019Added reference [3] and [4]
24.07.2019Added reference [5]
26.04.2020Added reference [6] and [7]
28.09.2021Added reference [8]
16.12.2022Added reference [9] and [10]