WordPress DirectoriesPro 1.3.45 Cross Site Scripting

2020.12.13
Credit: Jack Misiura
Risk: Low
Local: No
Remote: Yes
CVE: CVE-2020-29303 | CVE-2020-29304
CWE: CWE-79

Title: Reflected XSS Product: WordPress DirectoriesPro Plugin by SabaiApps Vendor Homepage: https://directoriespro.com/ Vulnerable Version: 1.3.45 Fixed Version: 1.3.46 CVE Number: CVE-2020-29303 Author: Jack Misiura from The Missing Link Website: https://www.themissinglink.com.au Timeline: 2020-11-26 Disclosed to Vendor 2020-11-27 Vendor releases patched version 2020-12-07 Fix confirmed 2020-12-10 Publication 1. Vulnerability Description The WordPress DirectoriesPro plugin did not sanitise the _drts_form_build_id in a POST request, allowing for HTML or JavaScript injection. 2. PoC On a WordPress installation with a vulnerable DirectoriesPro plugin, issue the following POST request while logged in as Administrator to, for example, http://example.com/wp-admin/admin.php?page=drts/directories <http://example.com/wp-admin/admin.php?page=drts/directories&q=%2Fdirectories%2Fstaff%2Fexport%2F> &q=%2Fdirectories%2Fstaff%2Fexport%2F. Please note, the _t_ parameter is set to an invalid or non-existent CSRF token. filename=staff_txt&pretty_print=1&_drts_form_build_id=123"><script>alert('Reflected%20XSS');</script>%20onmouseover="&_t_=1234567&_drts_form_submit%5B0%5D=0&_ajax_=%23drts-modal 3. Solution The vendor provides an updated version (1.3.46) which should be installed immediately. 4. Advisory URL https://www.themissinglink.com.au/security-advisories Jack Misiura Application Security Consultant ----------- Title: Self-reflected XSS Product: WordPress DirectoriesPro Plugin by SabaiApps Vendor Homepage: https://directoriespro.com/ Vulnerable Version: 1.3.45 Fixed Version: 1.3.46 CVE Number: CVE-2020-29304 Author: Jack Misiura from The Missing Link Website: https://www.themissinglink.com.au Timeline: 2020-11-26 Disclosed to Vendor 2020-11-27 Vendor releases patched version 2020-12-07 Fix confirmed 2020-12-10 Publication 1. Vulnerability Description The WordPress DirectoriesPro plugin did not sanitise the column names when importing a malicious CSV file, allowing for HTML or JavaScript injection. 2. PoC On a WordPress installation with a vulnerable DirectoriesPro plugin import a CSV file containing the following in the header: 'term<b>" autofocus onfocus={alert('Complex\u0020XSS');alert(document.cookie);}//'" 3. Solution The vendor provides an updated version (1.3.46) which should be installed immediately. 4. Advisory URL https://www.themissinglink.com.au/security-advisories


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top