WP Courses LMS < 2.0.44 – Authenticated Stored XSS via Video Embed Code | CVE 2021-24621 | Plugin Vulnerabilities

Description

The plugin does not sanitise its Video Embed Code, allowing malicious code to be injected in it by high privilege users, even when the unfiltered_html capability is disallowed, which could lead to Stored Cross-Site Scripting issues

Proof of Concept

1. On the dashboard, navigate to WP Courses > Courses > Add New > Video Embed Code (iframe) (in the Post settings), inject with <iframe> XSS payload, such as <iframe src="javascript:alert(document.cookie)"></iframe>;  <iframe src="javascript:%61%6c%65%72%74%28%64%6f%63%75%6d%65%6e%74%2e%63%6f%6f%6b%69%65%29"></iframe>

2. Click Update, and to trigger XSS payload, open URL path of course

Affects Plugins

Fixed in 2.0.44

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Tri Wanda Septian

Submitter

Tri Wanda Septian

Submitter website

https://twseptian.github.io

Submitter twitter

Verified

Yes

WPVDB ID

bfbb32ac-9ef9-46de-8e5e-7d6d6fb868d8

Timeline

Publicly Published

2021-08-16 (about 2 years ago)

Added

2021-08-16 (about 2 years ago)

Last Updated

2022-04-08 (about 2 years ago)

Other

Published

Title

Published

2024-01-17

Title

WP Recipe Maker < 9.1.1 - Reflected Cross-Site Scripting via Referer

Published

2014-08-01

Title

Mobiloud 1.9.0 - comments/disqus_count.php shortname Parameter Reflected XSS

Published

2015-10-13

Title

WP-Piwik <= 1.0.4 - Cross-Site Scripting (XSS)

Published

2014-04-25

Title

Snapapp <= 1.5 - Multiple Cross-Site Scripting (XSS)

Published

2016-06-14

Title

Yoast SEO < 3.3.0 - Unspecified Cross-Site Scripting (XSS)