q2apro q2apro-on-site-notifications Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in the q2apro-on-site-notifications plugin for Question2Answer, affecting versions through 1.4.6. The issue arises in the 'process_request' function of 'q2apro-onsitenotifications-page.php', where user input is not properly sanitized before being output, allowing for the injection of malicious scripts. This vulnerability can be exploited remotely and requires user interaction, such as clicking on a notification from the plugin.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, a user must be running a vulnerable version of the q2apro-on-site-notifications plugin. Once this is confirmed, the vulnerability can be triggered by sending a request that includes unsanitized data, such as a message preview or event parameters, which the plugin will then display without proper escaping. This can be done by interacting with the plugin's notification system, which will process the injected data and execute any embedded scripts.

Remediation

Users are advised to upgrade to q2apro-on-site-notifications version 1.4.8, which addresses this vulnerability.