I have discovered a security issue in the Branda plugin that allows an attacker with Administrator privileges to execute arbitrary JavaScript code within the "search module" section. This vulnerability could potentially lead to Cross-Site Scripting (XSS) attacks.
Affected Component: Search Module
Vulnerable Parameter: Search Module
Payload Used for Testing: "><script>alert(2)</script>
Date: 20-12-2023
WordPress Version: 6.4.2
Plugin Version: 3.4.15
PHP Version: 8.2.4
1- Log in to the WordPress dashboard with admin account.
2- Then Install "Branda" plugin and activate it.
3- Go to the "Dashboard" under "Branda" section and click on "Search Module"
4- Input the following payload in the "Search Module" field "><script>alert(2)</script>
5- Observe the behavior on the frontend, and you can see that the payload has been successfully executed.
The Branda plugin should sanitize and validate user input to prevent the execution of arbitrary scripts.