WordPress Plugin Vulnerabilities
WPSchoolPress < 2.1.17 - Multiple Admin+ Stored Cross-Site Scripting
Description
The plugin sanitise some fields using sanitize_text_field() but does not escape them before outputting in attributes, resulting in Stored Cross-Site Scripting issues.
Proof of Concept
As admin, - Add a new teacher attendance (/wp-admin/admin.php?page=sch-teacherattendance), Tick the Absent box and put the following payload in the Reason: " style=animation-name:rotation onanimationstart=alert(/XSS/)// The XSS will be triggered when adding another teacher attendance by clicking on the Add button - Add a new Student Attendance (/wp-admin/admin.php?page=sch-attendance), tick the Absent box and put the following payload in the Reason: " style=animation-name:rotation onanimationstart=alert(/XSS/)// The XSS will be triggered when adding another attendance by clicking the 'Add/Update' button - Add a new Subject Mark Field (/wp-admin/admin.php?page=sch-settings&sc=subField) and put the following payload in the 'Field': " autofocus onfocus=alert(/XSS/)// The XSS will be triggered when editing the created Subject Mark (ie /admin.php?page=sch-settings&sc=subField&ac=edit&sid=3) - Create a new Subject (/wp-admin/admin.php?page=sch-subject), with the following payload in the Subject Name field: " autofocus onfocus=alert(/XSS/)// The XSS will be triggered when editing the Subject - Create a new Exam (/wp-admin/admin.php?page=sch-exams) with the following payload in the Exam Name Field: " autofocus onfocus=alert(/XSS/)// The XSS will be triggered when editing the Exam
Affects Plugins
Fixed in 2.1.17 References
CVE
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Davide Taraschi
Submitter
Davide Taraschi
Submitter website
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-10-11 (about 2 years ago)
Added
2021-10-11 (about 2 years ago)
Last Updated
2022-04-08 (about 2 years ago)
WPScan 