WPSchoolPress < 2.1.17 - Multiple Admin+ Stored Cross-Site Scripting
Description
The plugin sanitise some fields using sanitize_text_field() but does not escape them before outputting in attributes, resulting in Stored Cross-Site Scripting issues.
Proof of Concept
As admin, - Add a new teacher attendance (/wp-admin/admin.php?page=sch-teacherattendance), Tick the Absent box and put the following payload in the Reason: " style=animation-name:rotation onanimationstart=alert(/XSS/)// The XSS will be triggered when adding another teacher attendance by clicking on the Add button - Add a new Student Attendance (/wp-admin/admin.php?page=sch-attendance), tick the Absent box and put the following payload in the Reason: " style=animation-name:rotation onanimationstart=alert(/XSS/)// The XSS will be triggered when adding another attendance by clicking the 'Add/Update' button - Add a new Subject Mark Field (/wp-admin/admin.php?page=sch-settings&sc=subField) and put the following payload in the 'Field': " autofocus onfocus=alert(/XSS/)// The XSS will be triggered when editing the created Subject Mark (ie /admin.php?page=sch-settings&sc=subField&ac=edit&sid=3) - Create a new Subject (/wp-admin/admin.php?page=sch-subject), with the following payload in the Subject Name field: " autofocus onfocus=alert(/XSS/)// The XSS will be triggered when editing the Subject - Create a new Exam (/wp-admin/admin.php?page=sch-exams) with the following payload in the Exam Name Field: " autofocus onfocus=alert(/XSS/)// The XSS will be triggered when editing the Exam
Affects Plugins
Fixed in version 2.1.17✓
References
Classification
Miscellaneous
Original Researcher
Davide Taraschi
Submitter
Davide Taraschi
Submitter website
Verified
Yes
Timeline
Publicly Published
2021-10-11 (about 3 months ago)
Added
2021-10-11 (about 3 months ago)
Last Updated
2021-10-11 (about 3 months ago)