WordPress Plugin Vulnerabilities
ProfilePress < 3.1.11 - Unauthenticated Cross-Site Scripting (XSS) in tabbed login/register widget
Description
The plugin's widget for tabbed login/register was not properly escaped and could be used in an XSS attack which could lead to wp-admin access. Further, the plugin in several places assigned $_POST as $_GET which meant that in some cases this could be replicated with just $_GET parameters and no need for $_POST values.
Proof of Concept
1. Add the registration shortcode to a page. 2. Add the tabbed login/register widget on the same page. 3. Visit the page logged out and add this to the end of the URL /?tabbed-login-name="><script>alert(1)</script> This could also be replicated by posting to any page with the widget present, which would not need the registration shortcode to be present on the page.
Affects Plugins
Fixed in version 3.1.11
References
Classification
Miscellaneous
Original Researcher
Stiofan
Submitter
Stiofan
Submitter website
Submitter twitter
Verified
No
Timeline
Publicly Published
2021-08-09 (about 1 years ago)
Added
2021-07-12 (about 1 years ago)
Last Updated
2022-02-06 (about 10 months ago)