WordPress Plugin Vulnerabilities

Tutor LMS < 2.3.0 - Subscriber+ Stored Cross-Site Scripting

Description

The plugin does not sanitise and escape some of its settings, which could allow users such as subscriber to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Proof of Concept

1. Register a student account and go to the "Dashboard" plugin (https://example.com/dashboard/settings/)
2. Add the payload `<svg/onload=alert(origin)>` to either the "First Name" or "Last Name" fields.
3. Click on "Update Profile" and reload the page.
4. When you do that, you will see the XSS.

Affects Plugins

Plugin icon
tutor
Fixed in 2.3.0

References

CVE
CVE-2023-4805

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
8.0 (high)

Miscellaneous

Original Researcher
emad-fazel
Submitter
emad-fazel
Submitter website
http://arganex.top/
Verified
Yes
WPVDB ID
1049e940-49b1-4236-bea2-c636f35c5647

Timeline

Publicly Published
2023-09-25 (about 7 months ago)
Added
2023-09-25 (about 7 months ago)
Last Updated
2023-09-25 (about 7 months ago)

Other

Published
Title
Published
2023-12-01
Title
Seraphinite Accelerator < 2.20.29 - Reflected Cross-Site Scripting via rt
Published
2014-04-25
Title
Movies <= 0.6 - Unauthenticated Reflected Cross-Site Scripting (XSS)
Published
2023-11-10
Title
POWR < 2.2.0 - Contributor+ Stored XSS
Published
2022-01-14
Title
Random Banner < 4.1.6 - Admin+ Stored Cross-Site Scripting
Published
2022-08-22
Title
WP-UserOnline < 2.88.1 - Admin+ Stored Cross-Site Scripting