Supsystic Digital Publications Path Traversal and Stored Cross-Site Scripting Vulnerability

A path traversal vulnerability has been identified in the Supsystic Digital Publications WordPress plugin, specifically in version 1.6.9. The vulnerability resides in the 'Folder' input field, where attackers can inject directory traversal sequences to access files outside the web root. Exploitation of this vulnerability can lead to unauthorized access to sensitive files, such as images stored in user home directories. Additionally, the plugin is susceptible to stored cross-site scripting (XSS) attacks. It fails to properly sanitize input in various publication settings, including 'Area Width' and 'Publication Width'. This lack of input validation allows for the injection of scripts that are executed when the publications are viewed or edited.

Impact

Exploitation of the path traversal vulnerability can lead to unauthorized file access, potentially exposing sensitive information. The stored XSS vulnerability allows injected scripts to be executed in the context of the user viewing the publication.

Reproduction

To reproduce the path traversal vulnerability, enter a directory traversal payload into the 'Folder' input field. For example, use a sequence that navigates up the directory structure to access files outside the web root. If the payload attempts to read a directory without proper permissions, it can cause a denial-of-service condition by creating an infinite loop that fills the server's error log, eventually consuming all available disk space. The stored XSS vulnerability can be reproduced by injecting a script payload into any unvalidated input field within the publication settings. The injected script will be executed when the publication is viewed or edited.

Remediation

Users are advised to update to the patched version of the Supsystic Digital Publications plugin. The vulnerability has been fixed in version 1.6.10.