WordPress Plugin Vulnerabilities

Profile Builder < 3.4.8 - Authenticated Stored XSS

Description

The plugin does not sanitise or escape its 'Modify default Redirect Delay timer' setting, allowing high privilege users to use JavaScript code in it, even when the unfiltered_html capability is disallowed, leading to an authenticated Stored Cross-Site Scripting issue

Proof of Concept

As admin, put the following payload in the Setting (from plugin) > Advanced Settings (/wp-admin/admin.php?page=profile-builder-toolbox-settings) > 'Modify default Redirect Delay timer' field and save: "><script>alert(/XSS/)</script>

Affects Plugins

Plugin icon
profile-builder
Fixed in 3.4.8

References

CVE
CVE-2021-24448

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
4.8 (medium)

Miscellaneous

Original Researcher
Akash Rajendra Patil
Submitter
Akash Rajendra Patil
Submitter website
https://akashpatil.me
Submitter twitter
skypatil98
Verified
Yes
WPVDB ID
81e42812-93eb-480d-a2d2-5ba5e02dd0ba

Timeline

Publicly Published
2021-06-30 (about 2 years ago)
Added
2021-06-30 (about 2 years ago)
Last Updated
2022-01-17 (about 2 years ago)

Other

Published
Title
Published
2024-01-09
Title
Happy Elementor Addons < 3.10.1 - Contributor+ Stored Cross-Site Scripting
Published
2023-04-18
Title
f(x) TOC <= 1.1.0 - Contributor+ Stored XSS
Published
2014-08-01
Title
BulletProof Security <= .47 - Cross-Site Scripting (XSS)
Published
2023-12-27
Title
WPCS – WordPress Currency Switcher Professional < 1.2.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2017-02-20
Title
AnyVar 0.1.1 - Stored Cross-Site Scripting (XSS)