WordPress Plugin Vulnerabilities

User Registration < 3.0.4.2 - Admin+ Stored XSS

Description

The plugin does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Proof of Concept

1. Install and activate this plugin - https://wordpress.org/plugins/user-registration/.
2. Click "Add Form" under the plugin options.
3. Once the form is created, navigate to the form settings, and in the "Redirect URL" field, inject the following payload: javascript:alert(document.domain) and then click "Update Form."
4. Copy the shortcode generated for the form, go to the "Page" tab, create a new page, paste the shortcode, publish the page, and visit it.
5. Now, fill out the form with any dummy data and click "Submit."
6. This will create a new user and trigger the XSS vulnerability.

Affects Plugins

Plugin icon
user-registration
Fixed in 3.0.4.2

References

CVE
CVE-2023-5228

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (low)

Miscellaneous

Original Researcher
Mohamed Azarudheen
Submitter
Mohamed Azarudheen
Verified
Yes
WPVDB ID
50ae7008-46f0-4f89-ae98-65dcabe4ef09

Timeline

Publicly Published
2023-10-16 (about 7 months ago)
Added
2023-10-16 (about 7 months ago)
Last Updated
2023-10-16 (about 7 months ago)

Other

Published
Title
Published
2021-10-06
Title
WP All Export < 1.3.1 - Admin+ Stored Cross-Site Scripting
Published
2014-09-27
Title
wp-video-comm&o Plugin - Cross-Site Scripting (XSS)
Published
2014-08-01
Title
Mingle Forum 1.0.33.3 - wpf.class.php search_words Parameter XSS
Published
2024-02-07
Title
Payment Forms for Paystack <= 3.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Published
2023-01-20
Title
WP Google Map < 4.4.0 - Editor+ Stored XSS