manos4wpsites

Dear Plugin Authors,

Check the file class-weather-atlas-rest-api.php (I beleive here lies the XSSVulnerability)

1.) The maybe_unserialize and unserialize
Mitigation: Escape all output data using esc_html(), esc_attr(),

2.) The widget_name might not be sanitized.
Mitigation: Sanitize or validate all fields to ensure they meet expected formats before returning them.

maybe this
<?php
// Assuming your namespace and use declarations here if you have any
class Weather_Atlas_REST_API {

public function __construct()
{
    add_action('rest_api_init', array($this, 'register_routes'));
}

public function register_routes()
{
    register_rest_route('weather-atlas/v1', '/widgets', array(
        'methods'             => 'GET',
        'callback'            => array($this, 'get_weather_widgets'),
        'permission_callback' => '__return_true'
    ));
}

public function get_weather_widgets()
{
    global $wpdb;
    $prefix  = 'weather_atlas_widget_';

    // Prepare the query securely
    $query = $wpdb->prepare("SELECT * FROM {$wpdb->options} WHERE option_name LIKE %s", $prefix . '%');
    $widgets = $wpdb->get_results($query);

    // Safely sort widgets by 'widget_name'
    usort($widgets, function ($a, $b) {
        $a_data = maybe_unserialize($a->option_value);
        $b_data = maybe_unserialize($b->option_value);

        $a_name = isset($a_data['widget_name']) ? esc_html($a_data['widget_name']) : '';
        $b_name = isset($b_data['widget_name']) ? esc_html($b_data['widget_name']) : '';

        return strcmp($a_name, $b_name);
    });

    // Prepare the response with sanitized data
    $formatted_widgets = array();
    foreach ($widgets as $widget) {
        $widget_data = maybe_unserialize($widget->option_value);

        $formatted_widgets[] = array(
            'id'          => esc_attr(str_replace('weather_atlas_widget_', '', $widget->option_name)),
            'widget_name' => isset($widget_data['widget_name']) ? esc_html($widget_data['widget_name']) : 'Unnamed Widget'
        );
    }

    return $formatted_widgets;
}

}

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/weather-atlas/weather-atlas-widget-301-unauthenticated-cross-site-scripting

Same issue here, WPToolkit Shows
WordPress Weather Atlas Widget plugin <= 3.0.1 – Cross Site Scripting (XSS) vulnerability
Cross Site Scripting (XSS) vulnerability discovered by LVT-tholv2k (Patchstack Alliance) in WordPress Plugin Weather Atlas Widget (versions <= 3.0.1)
Date:?18.11.2024?|?Source:?https://patchstack.com/database/vulnerability/weather-atlas/wordpress-weather-atlas-widget-plugin-3-0-1-cross-site-scripting-xss-vulnerability?_a_id=110

I Disabled the plugin, I will wait a couple of days and if there is no patch or version update I will try to find where vulnerabillity is and update it myown or I will change the plugin with another one, its a pitty This is a very nice plugin.