WordPress WPSchoolPress 2.1.16 Cross Site Scripting

2021.11.16

Credit: Davide Taraschi

Risk: Medium

Local: No

Remote: Yes

CVE: CVE-2021-24664

CWE: CWE-79

CVSS Base Score: 3.5/10

Impact Subscore: 2.9/10

Exploitability Subscore: 6.8/10

Exploit range: Remote

Attack complexity: Medium

Authentication: Single time

Confidentiality impact: None

Integrity impact: Partial

Availability impact: None

# Exploit Title: WordPress Plugin WPSchoolPress 2.1.16 - 'Multiple' Cross Site Scripting (XSS)
# Date: 20/08/2021
# Exploit Author: Davide Taraschi
# Vendor Homepage: https://wpschoolpress.com/
# Software Link: https://wpschoolpress.com/free-download/
# Version: up to 2.1.17 (non included)
# Tested on: Ubuntu 20.04 over WordPress 5.8 and apache2
# CVE : CVE-2021-24664
# Description:
The plugin sanitise some fields using a wordpress built-in function called sanitize_text_field() but does not correctly escape them before outputting in attributes, resulting in Stored Cross-Site Scripting issues.
The function wp_sanitize_text_field() escape < and > but does not escape characters like ", allowing an attacker to break a HTML input tag and inject arbitrary javascript.
# PoC:
As admin,
- Add a new teacher attendance (/wp-admin/admin.php?page=sch-teacherattendance), Tick the Absent box and put the following payload in the Reason: "style=animation-name:rotation onanimationstart=alert(/XSS/)//
The XSS will be triggered when adding another teacher attendance by clicking on the Add button
- Add a new Student Attendance (/wp-admin/admin.php?page=sch-attendance), tick the Absent box and put the following payload in the Reason: " style=animation-name:rotation onanimationstart=alert(/XSS/)//
The XSS will be triggered when adding another attendance by clicking the 'Add/Update' button
- Add a new Subject Mark Field (/wp-admin/admin.php?page=sch-settings&sc=subField) and put the following payload in the 'Field': " autofocus onfocus=alert(/XSS/)//
The XSS will be triggered when editing the created Subject Mark (ie /admin.php?page=sch-settings&sc=subField&ac=edit&sid=3)
- Create a new Subject (/wp-admin/admin.php?page=sch-subject), with the following payload in the Subject Name field: " autofocus onfocus=alert(/XSS/)//
The XSS will be triggered when editing the Subject
- Create a new Exam (/wp-admin/admin.php?page=sch-exams) with the following payload in the Exam Name Field: " autofocus onfocus=alert(/XSS/)//
The XSS will be triggered when editing the Exam=20
Note that some of this XSS issues can be executed by a teacher (medium-privileged user), but since wordpress uses HTTPonly cookies is impossible to steal cookies.

See this note in RAW Version

Vote for this issue:

100%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

WordPress WPSchoolPress 2.1.16 Cross Site Scripting

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.